Malicious activity detection, validation, and remediation in virtualized file servers

ABSTRACT

Examples of file analytics systems are described that may obtain metadata data and events data from a virtualized file server. The file analytics systems may detect one or more events from the events data matching a criteria indicating malicious activity. The file analytics systems may validate the detection of malicious activity. The validation may be performed by comparing the file type, such as the MIME type, of sample files before and after the suspected malicious activity. The systems may recover a share of the distributed file server including the one or more affected files by replacing the one or more affected files with stored versions of the one or more affected files from a snapshot of the share taken prior to the detected malicious activity.

TECHNICAL FIELD

Examples described herein relate generally to distributed file server systems. Examples of file analytics systems are described which may obtain events from the distributed file server, and generate metrics based on the same. Examples of file analytics systems that retrieve metadata from snapshots of the file system to detect and validate malicious activity in the file system are described.

BACKGROUND

Data, including files, are increasingly important to enterprises and individuals. The ability to store significant corpuses of files is important to operation of many modern enterprises. Existing systems that store enterprise data may be complex or cumbersome to interact with in order to quickly or easily establish what actions have been taken with respect to the enterprise's data and what attention may be needed from an administrator. In addition, an incomplete catalog of the file system may result in an incomplete analysis of the enterprise data to determine usage characteristics and to detect anomalies and malicious activity which may result in significant data loss.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1A is a schematic illustration of a distributed computing system hosting a virtualized file server and a file analytics system arranged in accordance with examples described herein.

FIG. 1B illustrates an example hierarchical structure of a portion of the VFS of FIG. 1A according to particular embodiments.

FIG. 1C is a schematic illustration of the distributed computing system of FIG. 1A showing a failover of a failed FSVM in accordance with examples described herein.

FIG. 2A is a schematic illustration of a clustered virtualization environment implementing a virtualized file server and a file analytics system according to particular embodiments.

FIG. 2B is an example procedure which may be implemented by a monitoring process to raise alerts in accordance with examples described herein.

FIG. 3A is a schematic illustration of a system including a flow diagram for ingestion of information from a virtualized file server (VFS) by an analytics virtual machine according to particular embodiments.

FIG. 3B depicts an example sequence diagram for transmission of event data records from the audit framework to the analytics VM in accordance with embodiments of the disclosure.

FIG. 3C depicts an example timing diagram for routing event data records from to particular message topics and message topic partitions in accordance with embodiments of the disclosure.

FIG. 3D is a schematic illustration of an example file analytics system which may provide metrics adjusted for application operation (e.g., temporary file handling).

FIG. 4 depicts an exemplary user interface showing various analytic data based on file server events, according to particular embodiments.

FIG. 5 depicts an exemplary user interface showing various analytic data based on file server events, according to particular embodiments.

FIG. 6 depicts an example user interface reporting various anomaly-related data, according to particular embodiments.

FIG. 7A illustrates a clustered virtualization environment implementing file server virtual machine of a virtualized file server (VFS) and an analytics VM according to particular embodiments.

FIG. 7B depicts an example sequence diagram for managing read and write indexes for storage of event data records via the audit framework in accordance with embodiments of the disclosure.

FIG. 8 depicts a block diagram of components of a computing node (e.g., device) in accordance with embodiments of the present disclosure.

FIG. 9A depicts an example pattern of file server events indicating malicious activity, in accordance with embodiments of the present disclosure.

FIG. 9B depicts an example pattern of file server events indicating malicious activity, in accordance with embodiments of the present disclosure.

FIG. 9C depicts an example pattern of file server events indicating malicious activity, in accordance with embodiments of the present disclosure.

FIG. 10A depicts an example hierarchical structure of a portion of the VFS during remediation following detection of malicious activity, in accordance with embodiments of the present disclosure.

FIG. 10B depicts an example hierarchical structure of a portion of the VFS following remediation after detection of malicious activity, in accordance with embodiments of the present disclosure.

FIG. 11 is a flow chart of example operations for detection of malicious activity on a file server in accordance with embodiments of the present disclosure.

FIG. 12 is a flow chart of example operations for recovery of a file server from a malicious attack in accordance with embodiments of the present disclosure.

FIG. 13 is a flow chart of example operations for updating a malware detection system in accordance with embodiments of the present disclosure.

FIG. 14 is a flow chart of example operations for recovery of a file server from a malicious attack, including validating the detection of malicious activity, arranged in accordance with embodiments of the present disclosure.

DETAILED DESCRIPTION

Examples described herein include metadata and events based file analytics systems for hyper-converged scale out distributed file storage systems. Embodiments presented herein disclose a file analytics system which may to retrieve, organize, aggregate, and/or analyze information pertaining to a file system. Information about the file system may be stored in an analytics datastore. The file analytics system may query or monitor the analytics datastore to provide information (e.g., to an administrator) in the form of display interfaces, reports, and alerts and/or notifications. In some examples, the file analytics system may be hosted on a computing node, whether standalone or on a cluster of computing nodes. In some examples, the file analytics system may interface with a file system managed by a distributed virtualized file server (VFS) hosted on a cluster of computing nodes. An example VFS may provide for shared storage (e.g., across an enterprise), failover and backup functionalities, as well as scalability and security of data stored on the VFS.

Examples of the file analytics systems described herein may detect and take action responsive to the detection of suspected or actual ransomware. Ransomware is a type of malicious software, examples of which may be designed to block access to a computer system or computer files until a sum of money is paid. Most ransomware variants encrypt user files on the affected computer, hold the decryption key (making user files inaccessible), and demand a ransom payment to restore access.

Ransomware is a growing threat, and many existing solutions are not able to provide automated detection of, remediation of, and recovery from attacks. Some existing approaches include intrusive detection implemented at the network layer monitoring an end point. Such monitoring approaches generally focus on who and what are being attacked rather than detecting evidence of attack. Further these approaches are generally not designed to inform the end-user that infection has been detected. Other existing approaches include taking backup or snapshots of the file system at regular intervals, such that snapshots may be used to restore an attacked system. Such approaches generally lead to loss of data, as data created between backups is often lost and not recoverable after ransomware attack. Further existing approaches may detect ransomware through pre-defined digital signatures. Such methods capture already known ransomware, but systems remain vulnerable to new and non-cataloged ransomware.

Analytics systems and file servers described herein may perform ransomware prevention, detection, remediation, and/or recovery. In some examples, automated workflows may allow ransomware to be detected based on events recorded from a file server. Upon detection of malicious activity (e.g., indicating a ransomware attack), the analytics system may take immediate action to remediate and/or recover from the attack. Virtualized file servers described herein may, in some examples, have an ability to maintain an allowlist (e.g., containing all file extensions allowed for an enterprise or other user) and/or a denylist (e.g., containing all file extensions that are not allowed for an enterprise or other user). The allowlist and denylist of file extensions may act as a preventative layer for ransomware attacks.

In some examples, file analytics systems may be used to track file system or file server events (e.g., reads from, writes to, renaming of, and changes to files) within a virtualized file server. The virtualized file servers may include an API interface for file blocking, and may provide multiple snapshots of files made available by the file server. Analytics systems may utilize events and/or patterns of events (e.g., file system events) to detect suspected ransomware. For example, ransomware may follow a pattern of steps (e.g., events) to infect files. In some examples, ransomware may delete shadow copies of files (e.g., default backups made by an operating system), copy an executable for ransomware to a system folder to receive elevated permissions, and create a service that runs during encryption of files. During encryption of files, encrypted files are renamed and ransom notes may be created. A log file may be created listing the number of targeted files, the number of encrypted files, and the number of files not encrypted, and the service may be stopped and deleted. In these examples, the file analytics system may review event data to detect ransomware behavior before the attack is completed. For example, the analytics system may identify the renaming of files during encryption and/or creation and storage of ransom notes. Each ransomware may have its own mechanism for renaming infected files and changing their extension and name. Known or suspected ransomware signatures (e.g., renaming patterns and/or extensions) may be stored and acted on by file analytics systems.

In some examples, file analytics systems may use features of the virtualized file servers (e.g., file blocking policies and self-service restore (SSR) capabilities) to prevent, remediate, and recover from ransomware attacks. For example, file analytics systems may utilize an API interface to virtualized file servers to block files from being created and/or renamed to names or properties of known ransomware file names or properties. Analytics systems may further view SSR configurations of the virtualized file server, which generally allows the virtualized file server to create a snapshot at a regular interval. The analytics systems may detect if any shares of the virtualized file server are not protected (e.g., SSR policy not enabled) and may create SSR policies to protect such shares.

During operation, the file analytics system may retrieve metadata associated with the file system, configuration and/or user information from the file system, and/or event data from the file system.

In some examples, the analytics tool and/or the corresponding file server may include protections to prevent event data from being processed out of chronological order. Data may be provided to the analytics tool from the file server via a messaging system. The file server may include an audit framework that manages event data in an event log. The audit framework may be configured to communicate with a message topic broker of the analytics tool to provide event data and/or metadata to the analytics tool from the event log. If a first message that includes event data for a first event corresponding to a particular file is not received by the analytics tool, processing a subsequent second message that includes event data for a second event corresponding to the particular file may present an inaccurate and/or inconsistent audit trail for the particular file.

In addition, the analytics tool may be capable of processing multiple streams of event data in parallel by separating messages corresponding to the event data message topic into multiple partition pipelines. To avoid processing events related to a particular file out of chronological order, the analytics tool may distribute events for the particular file to the same message topic partition pipeline.

In some examples, the information retrieved or received by the analytics tool may include event data records and metadata. The metadata collection process may include gathering the overall size, structure, storage locations of parts of the file system managed by the file server, as well as details (e.g., file size, allocated storage quota, creation and/or modification information, owner information, permissions information, etc.) for each data item (e.g., file, folder, directory, share, etc.) in the file system. In some examples, the metadata collection process rely on scanning one or more snapshots of the file system managed by the file server to gather the metadata, such as one or more snapshots generated by a disaster recovery application of the file server. The analytics tool may use the information gathered from the one or more snapshots to develop a comprehensive picture of the file system managed by the file server. In some examples, the analytics tool may employ multiple threads to perform scans on the snapshots in parallel. The multiple threads may be employed to scan different shares in parallel, different files of a common share in parallel, or any combination thereof.

In some examples, the analytics tool may mount a particular snapshot of the file server to scan at least a portion of the file system to retrieve some of the metadata of the file system. In some examples, the analytics tool may communicate directly with each of the file server virtual machines of the file server during the metadata collection process to retrieve the respective portions of the metadata. In other examples, the analytics tool may communicate directly with another application or service of the distributed computing system, such as a disaster recovery service or application. In some examples, during the metadata scan, the file server or related application and/or the analytics tool may add a checkpoint or marker (e.g., index) after every completed metadata transaction to indicate where it left off scanning the metadata snapshots. The checkpoint may allow the analytics tool to return to the checkpoint to resume the scan should the scan be interrupted for some reason.

Without the checkpoint, the metadata scan may start anew, creating duplicate metadata records in the events log that need to be resolved. In addition, when successive snapshots are analyzed, the analytics tool may generate event data based on differences between the two snapshots. For example, if the metadata of a first snapshot indicates that a particular share has a first size and the metadata of a second snapshot indicates that the particular share has a second size, the analytics tool may generate an event that the size of the particular file was changed. Other types of events may be derived if a metadata comparison between two snapshots reveals that a file/folder/share/directory/etc. is added, removed, or some characteristic has been changed without departing from the scope of the disclosure.

In some examples, the shares of the file system may be sharded (e.g., distributed across multiple FSVMs), which may impact capturing of a complete set of metadata for the file system. Thus, as part of the metadata collection process, a distributed file protocol, e.g., DFS, may be used to obtain a collection of FSVM IDs (e.g., IP addresses) to be mounted to access a full share. However, in some examples, the analytics tool may be implemented using a Linux client or other client that may not support DFS referrals or other distributed file protocol to obtain identification of which FSVMs host which files (e.g., which shares). Typically, files may be sharded across multiple FSVMs based on their top-level directory (e.g., an initial folder such as \\enterprise\hr in the file system may include files and/or lower level folders stored across multiple FSVMs).

Accordingly, if a snapshot for a portion of a share hosted by one FSVM is mounted, the analytics tool may identify all folders (e.g., top-level directories), but not all data for the share may be available via the snapshot. Rather, some of the data may be hosted on other FSVMs. In some examples, the analytics tool may map top-level directories to FSVMs using the snapshots and/or differential snapshots, and then may use that information to traverse other snapshots and/or differential snapshots for those directories. So, for example, the analytics tool may identify that a first FSVM and a second FSVM may host a particular top-level (e.g., root) directory when scanning a particular snapshot. In order to scan all of the metadata for that top-level directory, snapshots created for portions of the top-level directory for both of the FSVMs may be accessed and scanned. In this manner, all data in the top-level directory (e.g., across a distributed SMB share) may be scanned by the analytics tool, even without use of a DFS Referral.

To capture configuration information, the file analytics system may use an application programming interface (API) architecture to request the configuration information. The configuration information may include user information, a number of shares, deleted shares, created shares, etc.

To capture event data, the VFS may include an audit framework with a connector publisher that is configured to publish the event data records and other information for consumption by other services using a message system. The event data records may include data related to various operations on the file system executed by the VFS, such as adding, deleting, moving, modifying, etc., a file, folder, directory, share, etc. The event data records may indicate an event type (e.g., add, move, delete, modify, a user associated with the event, an event time, etc.).

To capture event data, the file analytics system may interface with the file server using a messaging system (e.g., publisher/subscriber message system) to receive event data. Received event data may be stored by the file analytics system in the analytics datastore. The event data may include data related to various operations performed with the file system, such as creating, deleting, reading, opening, editing, moving, modifying, etc., a file, folder, directory, share, etc., within the file system. The event information may indicate an event type (e.g., create, read, edit, delete), a user associated with the event, an event time, etc. Examples of events which may be supported in some examples include file open, file write, rename, file create, file read, file delete, security change, directory create, directory delete, file open/permission denied, file close, set attribute. Accordingly, events may be file server audit events (e.g., SMB audit events).

In some examples, the VFS may include protections to prevent event data from being lost. In some examples, the VFS may persistently store event data records according to a data retention policy (e.g., until a specific number of event data records have been reached, until the event data record exceeds a particular retention policy age limit, until the event data record is successfully provided to a particular requesting service (e.g., the analytics tool), until a total storage limit is exceeded, or some other retention criteria). Thus, if the requesting service or the message system) becomes unavailable, the file server may persistently store the event data until the requesting service becomes available.

To support the persistent storage, and well as provision of the event data records to the requesting services, file server virtual machines (FSVMs) of the VFS may each include an audit framework that includes a dedicated event log (e.g., tied to a FSVM-specific volume group). The event log may be capable of being scaled to store all event data records and/or metadata for a particular FSVM according to a retention policy. The audit framework may include an audit queue, an event logger, an event log, and a service connector. The audit queue may be configured to receive event data records and/or metadata from the VFS via network file server or server message block server communications, and to provide the event data records and/or metadata to the event logger. The event logger may be configured to store the received event data records and/or metadata from the audit queue. In some examples, the event data records may be stored with a unique index value, such as a monotonically increasing sequence number, which may be used as a reference by the requesting services to request a specific event data record. The event logger may keep the in-memory state of the write index value in the event log, and may persist it periodically to a control record (e.g., a master block). When the audit framework is started or restarted, the master record may be read to set the write index.

The event logger may coordinate all of the event data and/or metadata writes and reads to and from the event log, which may facilitate the use of the event log for multiple services. The event logger may retrieve requested event data records and/or metadata from the event log in response to a request from the service connector. The service connector may be configured to communicate with the requesting services (e.g., such as a message topic broker of the analytics tool) to respond to requests for provision of event data and/or metadata, as well as receive acknowledgments when event data and/or metadata are successfully received by the analytics tool. In some examples, the event logger or the service connector may maintain, for each requesting service, a last-provided or a next read index value for each requesting service. The event logger may use the last-provided or the next read index value to determine a next data record to send to a requesting service. The event logger may keep the in-memory state of the write index value in the event log, and may persist it periodically to a control record (e.g., a master block). When the audit framework is started or restarted, the master record may be read to set the write index.

Multiple services may be able to read from event log via their own service connectors (e.g., Kafka connectors). A service connector may have the responsibility of sending event data and metadata to the requesting service (e.g., such as the message topic broker of the analytics VM 170) reliably, keeping track of its state, and reacting to its failure and recovery. In some examples, each service connector may be tasked with persisting its respective read index, as well as being able to communicate the respective read index to the event logger when initiating an event read. The service connector may increment the in-memory read index in response to receipt of an acknowledgement from its corresponding service. In some examples, the service connector may periodically persist an in-memory state of a particular read index to the control record. The persisted read index value may be read at start/restart and used to set the in-memory read index to a value from which to start reading from.

In some situations, a user of a file system may take an action through an application which may cause additional files to be created and/or other events to occur. These additional files and/or other events may be ancillary to the user's action and may be due to the internal operation of the application. The additional files and/or other events created and/or taken by the application responsive to the user action may cause the event data sent by the file system to the analytics system to include events which do not pertain to the user's action, but to the application's internal activity taken to accomplish the requested action. This may obscure reporting on particular metrics—such as actions taken by a user, number of files in the system, or other metrics. In order to obtain metrics which reflect the user action, and reduce or eliminate ancillary actions taken by applications to accomplish the user action, examples of file analytics systems described herein may filter event data to select certain events associated with the user action (e.g., to discard certain events associated with operation of the application). These filtered events may then be used for reporting, rather than the entirety of the event data. Moreover, in some examples, the operation of the application may cause one or more additional files to be generated (e.g., one or more temporary files). Examples of files analytics systems described herein may provide a lineage index which stores associations between files requested to be manipulated by a user and files created by an application responsive to the user request (e.g., temporary files). The lineage index may be accessed by file analytics systems described herein so that the file analytics system may analyze a set of events corresponding to both the requested file and the application-created file(s) (e.g., temporary files(s)). This full set of events may be filtered in some examples to remove application-originated events ancillary to the user's action. The filtered event data may be used for reporting, which may be more accurate than the initial event data including all events, including internal application-generated events.

Certain details are set forth herein to provide an understanding of described embodiments of technology. However, other examples may be practiced without various of these particular details. In some instances, well-known circuits, control signals, timing protocols, and/or software operations have not been shown in detail in order to avoid unnecessarily obscuring the described embodiments. Other embodiments may be utilized, and other changes may be made, without departing from the spirit or scope of the subject matter presented here.

In some examples, the file analytics system and/or the corresponding file system may include protections to prevent and/or reduce event data from being lost. For example, the file system may be configured to store event data until it is consumed by the file analytics tool. For example, if the file analytics tool becomes unavailable, the file system may store the event data until the file analytics tool becomes available. The file analytics tool and/or the file system may further include architecture to prevent and/or reduce event data from being processed out of chronological order.

In some examples, the file analytics system may perform a metadata collection process. The metadata collection process may be performed wholly and/or partially in parallel with receipt of event data via the messaging system in some examples. The file analytics system may reconcile information captured via the metadata collection process with event data information. The reconciliation may prevent and/or reduce the incidence of older data from overwriting newer data. In some examples, the reconciliation process may ensure that the metadata is accurate.

The file analytics system may generate reports, including predetermined reports and/or customizable reports. The reports may be related to aggregate and/or specific user activity; aggregate file system activity; specific file, directory, share, etc., activity; etc.; or any combination of thereof.

In some examples, the file analytics system may be configured to analyze the received event data to detect irregular, anomalous, and/or malicious activity within the file system. For example, the file analytics system may detect malicious software activity (e.g., ransomware) or anomalous user activity (e.g., deleting a large amount of files, deleting a large share, etc.). In some examples, because the metadata is kept up-to-date based on events occurring in the file system, the reports generated by the file analytics system and/or the analysis conducted by the file analytics system may be presented and/or updated in real-time (e.g., including events occurring within the past day, hour, minute, second, or other time interval).

As previously described, the file analytics system may retrieve, organize, aggregate, and/or analyze information corresponding to a file system managed by a distributed VFS. Accordingly, the file analytics system may interface with multiple instances of processes (such as multiple file server virtual machines (VMs) and/or multiple containers) that make up the distributed VFS to retrieve the information. In some examples, the file analytics system may be hosted in a virtualized environment (e.g., hosted on a VM and/or in a container).

Examples described herein provide analytics which may be used, for example, to collect, analyze, and display data about a virtualized file system. Virtualization may be advantageous in modern business and computing environments in part because of the resource utilization advantages provided by virtualized computing systems. Without virtualization, if a physical machine is limited to a single dedicated process, function, and/or operating system, then during periods of inactivity by that process, function, and/or operating system, the physical machine is not utilized to perform useful work. This may be wasteful and inefficient if there are users on other physical machines which are currently waiting for computing resources. To address this problem, virtualization allows multiple VMs and/or containers to share the underlying physical resources so that during periods of inactivity by one VM and/or container, other VMs and/or containers can take advantage of the resource availability to process workloads. This can produce efficiencies for the utilization of physical devices, and can result in reduced redundancies and better resource cost management.

Furthermore, virtualized computing systems may be used to not only utilize the processing power of the physical devices but also to aggregate the storage of the individual physical devices to create a logical storage pool where the data may be distributed across the physical devices but appears to the virtual machines and/or containers to be part of the system that the virtual machine and/or container is hosted on. Such systems may operate using metadata, which may be distributed and replicated any number of times across the system, to locate the indicated data.

FIG. 1A is a schematic illustration of a distributed computing system 100 hosting a virtualized file server and a file analytics system arranged in accordance with examples described herein. Additional examples of virtualized file servers may be found, for example, in US Published Application 2017/0235760, entitled, “Virtualized File Server,” published Aug. 17, 2017, which publication is hereby incorporated by reference in its entirety for any purpose. The system 100, which may be a virtualized system and/or a clustered virtualized system, includes a virtualized file server (VFS) 160 and an analytics VM 170. While shown as a virtual machine, examples of analytics applications may be implemented using one or more virtual machines, containers or both. The analytics application, e.g., analytics VM 170, may retrieve, organize, aggregate, and/or analyze information pertaining to the VFS 160. Data collected by the analytics application may be stored in an analytics datastore 190. The analytics datastore may be distributed across the various storage devices shown in FIG. 1A in some examples. While shown as hosted in a same computing system cluster as hosts the VFS 160, the analytics VM 170 and/or analytics datastore may in other examples be outside the cluster and in communication with the cluster. In some examples the analytics VM and/or analytics data store may be provided as a hosted solution in one or more cloud computing platforms.

The system of FIG. 1A can be implemented using a distributed computing system. Distributed computing systems generally include multiple computing nodes (e.g., physical computing resources)—host machines 102, 106, and 104 are shown in FIG. 1A—that may manage shared storage, which may be arranged in multiple tiers. The storage may include storage that is accessible through network 154, such as, by way of example and not limitation, cloud storage 108 (e.g., which may be accessible through the Internet), network-attached storage 110 (NAS) (e.g., which may be accessible through a LAN), or a storage area network (SAN). Examples described herein may also or instead permit local storage 136, 138, and 140 that is incorporated into or directly attached to the host machine and/or appliance to be managed as part of storage pool 156. Accordingly, the storage pool may include local storage of one or more of the computing nodes in the system, storage accessible through a network, or both local storage of one or more of the computing nodes in the system and storage accessible over a network. Examples of local storage may include solid state drives (SSDs), hard disk drives (HDDs, and/or “spindle drives”), optical disk drives, external drives (e.g., a storage device connected to a host machine via a native drive interface or a serial attached SCSI interface), or any other direct-attached storage. These storage devices, both direct-attached and/or network-accessible, collectively form storage pool 156. Virtual disks (or “vDisks”) may be structured from the physical storage devices in storage pool 156. A vDisk generally refers to a storage abstraction that is exposed by a component (e.g., a virtual machine, hypervisor, and/or container described herein) to be used by a client (e.g., a user VM, such as user VM 12). In examples described herein, controller VMs—e.g., controller VM 124, 126, and/or 128 of FIG. 1A may provide access to vDisks. In other examples, access to vDisks may additionally or instead be provided by one or more hypervisors (e.g., hypervisor 130, 132, and/or 134). In some examples, the vDisk may be exposed via iSCSI (“internet small computer system interface”) or NFS (“network file system”) and may be mounted as a virtual disk on the user VM. In some examples, vDisks may be organized into one or more volume groups (VGs).

Each host machine 102, 106, 104 may run virtualization software. Virtualization software may include one or more virtualization managers (e.g., one or more virtual machine managers, such as one or more hypervisors, and/or one or more container managers). Examples of hypervisors include NUTANIX AHV, VMWARE ESX(I), MICROSOFT HYPER-V, DOCKER hypervisor, and REDHAT KVM. Examples of container managers including Kubernetes. The virtualization software shown in FIG. 1A includes hypervisors 130, 132, and 134 which may create, manage, and/or destroy user VMs, as well as manage the interactions between the underlying hardware and user VMs. While hypervisors are shown in FIG. 1A, containers may be used additionally or instead in other examples. User VMs may run one or more applications that may operate as “clients” with respect to other elements within system 100. While shown as virtual machines in FIG. 1A, containers may be used to implement client processes in other examples. Hypervisors may connect to one or more networks, such as network 154 of FIG. 1A to communicate with storage pool 156 and/or other computing system(s) or components.

In some examples, controller virtual machines, such as CVMs 124, 126, and 128 of FIG. 1A are used to manage storage and input/output (“I/O”) activities according to particular embodiments. While examples are described herein using CVMs to manage storage I/O activities, in other examples, container managers and/or hypervisors may additionally or instead be used to perform described CVM functionality. The arrangement of virtualization software should be understood to be flexible. In some examples, CVMs act as the storage controller. Multiple such storage controllers may coordinate within a cluster to form a unified storage controller system. CVMs may run as virtual machines on the various host machines, and work together to form a distributed system that manages all the storage resources, including local storage, network-attached storage 110, and cloud storage 108. The CVMs may connect to network 154 directly, or via a hypervisor. Since the CVMs run independent of hypervisors 130, 132, 134, in examples where CVMs provide storage controller functionally, the system may be implemented within any virtual machine architecture, since the CVMs of particular embodiments can be used in conjunction with any hypervisor from any virtualization vendor. In other examples, the hypervisor may provide storage controller functionality and/or one or containers may be used to provide storage controller functionality (e.g., to manage I/O request to and from the storage pool 156).

A host machine may be designated as a leader node within a cluster of host machines. For example, host machine 104, as indicated by the asterisks, may be a leader node. A leader node may have a software component designated to perform operations of the leader. For example, CVM 126 on host machine 104 may be designated to perform such operations. A leader may be responsible for monitoring or handling requests from other host machines or software components on other host machines throughout the virtualized environment. If a leader fails, a new leader may be designated. In particular embodiments, a management module (e.g., in the form of an agent) may be running on the leader node.

Virtual disks may be made available to one or more user processes. In the example of FIG. 1A, each CVM 124, 126, and 128 may export one or more block devices or NFS server targets that appear as disks to user VMs 112, 114, 116, 118, 120, and 122. These disks are virtual, since they are implemented by the software running inside CVMs 124, 126, and 128. Thus, to user VMs, CVMs appear to be exporting a clustered storage appliance that contains some disks. User data (e.g., including the operating system in some examples) in the user VMs may reside on these virtual disks.

Performance advantages can be gained in some examples by allowing the virtualization system to access and utilize local storage 136, 138, and 140. This is because I/O performance may be much faster when performing access to local storage as compared to performing access to network-attached storage 110 across a network 154. This faster performance for locally attached storage can be increased even further by using certain types of optimized local storage devices, such as SSDs.

As a user process (e.g., a user VM) performs I/O operations (e.g., a read operation or a write operation), the I/O commands may be sent to the hypervisor that shares the same server as the user process, in examples utilizing hypervisors. For example, the hypervisor may present to the virtual machines an emulated storage controller, receive an I/O command and facilitate the performance of the I/O command (e.g., via interfacing with storage that is the object of the command, or passing the command to a service that will perform the I/O command). An emulated storage controller may facilitate I/O operations between a user VM and a vDisk. A vDisk may present to a user VM as one or more discrete storage drives, but each vDisk may correspond to any part of one or more drives within storage pool 156. Additionally or alternatively, CVMs 124, 126, 128 may present an emulated storage controller either to the hypervisor or to user VMs to facilitate I/O operations. CVMs 124, 126, and 128 may be connected to storage within storage pool 156. CVM 124 may have the ability to perform I/O operations using local storage 136 within the same host machine 102, by connecting via network 154 to cloud storage 108 or network-attached storage 110, or by connecting via network 154 to 138 or 140 within another host machine 204 or 206 (e.g., via connecting to another CVM 126 or 128). In particular embodiments, any computing system may be used to implement a host machine.

Examples described herein include virtualized file servers. A virtualized file server may be implemented using a cluster of virtualized software instances (e.g., a cluster of file server virtual machines). A virtualized file server 160 is shown in FIG. 1A including a cluster of file server virtual machines. The file server virtual machines may additionally or instead be implemented using containers. In some examples, the VFS 160 provides file services to user VMs 112, 114, 116, 118, 120, and 122. The file services may include storing and retrieving data persistently, reliably, and/or efficiently in some examples. The user virtual machines may execute user processes, such as office applications or the like, on host machines 102, 104, and 106. The stored data may be represented as a set of storage items, such as files organized in a hierarchical structure of folders (also known as directories), which can contain files and other folders, and shares, which can also contain files and folders.

In particular embodiments, the VFS 160 may include a set of File Server Virtual Machines (FSVMs) 162, 164, and 166 that execute on host machines 102, 104, and 106. The set of file server virtual machines (FSVMs) may operate together to form a cluster. The FSVMs may process storage item access operations requested by user VMs executing on the host machines 102, 104, and 106. The FSVMs 162, 164, and 166 may communicate with storage controllers provided by CVMs 124, 132, 128 and/or hypervisors executing on the host machines 102, 104, 106 to store and retrieve files, folders, SMB shares, or other storage items. The FSVMs 162, 164, and 166 may store and retrieve block-level data on the host machines 102, 104, 106, e.g., on the local storage 136, 138, 140 of the host machines 102, 104, 106. The block-level data may include block-level representations of the storage items. The network protocol used for communication between user VMs, FSVMs, CVMs, and/or hypervisors via the network 154 may be Internet Small Computer Systems Interface (iSCSI), Server Message Block (SMB), Network File System (NFS), pNFS (Parallel NFS), or another appropriate protocol.

Generally, FSVMs may be utilized to receive and process requests in accordance with a file system protocol—e.g., NFS, SMB. In this manner, the cluster of FSVMs may provide a file system that may present files, folders, and/or a directory structure to users, where the files, folders, and/or directory structure may be distributed across a storage pool in one or more shares.

For the purposes of VFS 160, host machine 106 may be designated as a leader node within a cluster of host machines. In this case, FSVM 166 on host machine 106 may be designated to perform such operations. A leader may be responsible for monitoring or handling requests from FSVMs on other host machines throughout the virtualized environment. If FSVM 166 fails, a new leader may be designated for VFS 160.

In some examples, the user VMs may send data to the VFS 160 using write requests, and may receive data from it using read requests. The read and write requests, and their associated parameters, data, and results, may be sent between a user VM and one or more file server VMs (FSVMs) located on the same host machine as the user VM or on different host machines from the user VM. The read and write requests may be sent between host machines 102, 104, 106 via network 154, e.g., using a network communication protocol such as iSCSI, CIFS, SMB, TCP, IP, or the like. When a read or write request is sent between two VMs located on the same one of the host machines 102, 104, 106 (e.g., between the 112 and the FSVM 162 located on the host machine 102), the request may be sent using local communication within the host machine 102 instead of via the network 154. Such local communication may be faster than communication via the network 154 in some examples. The local communication may be performed by, e.g., writing to and reading from shared memory accessible by the user VM 112 and the FSVM 162, sending and receiving data via a local “loopback” network interface, local stream communication, or the like.

In some examples, the storage items stored by the VFS 160, such as files and folders, may be distributed amongst storage managed by multiple FSVMs 162, 164, 166. In some examples, when storage access requests are received from the user VMs, the VFS 160 identifies FSVMs 162, 164, 166 at which requested storage items, e.g., folders, files, or portions thereof, are stored or managed, and directs the user VMs to the locations of the storage items. The FSVMs 162, 164, 166 may maintain a storage map, such as a sharding map, that maps names or identifiers of storage items to their corresponding locations. The storage map may be a distributed data structure of which copies are maintained at each FSVM 162, 164, 166 and accessed using distributed locks or other storage item access operations. In some examples, the storage map may be maintained by an FSVM at a leader node such as the FSVM 166, and the other FSVMs 162 and 164 may send requests to query and update the storage map to the leader FSVM 166. Other implementations of the storage map are possible using appropriate techniques to provide asynchronous data access to a shared resource by multiple readers and writers. The storage map may map names or identifiers of storage items in the form of text strings or numeric identifiers, such as folder names, files names, and/or identifiers of portions of folders or files (e.g., numeric start offset positions and counts in bytes or other units) to locations of the files, folders, or portions thereof. Locations may be represented as names of FSVMs, e.g., “FSVM-1”, as network addresses of host machines on which FSVMs are located (e.g., “ip-addr1” or 128.1.1.10), or as other types of location identifiers.

When a user application, e.g., executing in a user VM 112 on host machine 102 initiates a storage access operation, such as reading or writing data, the user VM 112 may send the storage access operation in a request to one of the FSVMs 162, 164, 166 on one of the host machines 102, 104, 106. A FSVM 164 executing on a host machine 102 that receives a storage access request may use the storage map to determine whether the requested file or folder is located on and/or managed by the FSVM 164. If the requested file or folder is located on and/or managed by the FSVM 164, the FSVM 164 executes the requested storage access operation. Otherwise, the FSVM 164 responds to the request with an indication that the data is not on the FSVM 164, and may redirect the requesting user VM 112 to the FSVM on which the storage map indicates the file or folder is located. The client may cache the address of the FSVM on which the file or folder is located, so that it may send subsequent requests for the file or folder directly to that FSVM.

As an example and not by way of limitation, the location of a file or a folder may be pinned to a particular FSVM 162 by sending a file service operation that creates the file or folder to a CVM, container, and/or hypervisor associated with (e.g., located on the same host machine as) the FSVM 162—the CVM 124 in the example of FIG. 1A. The CVM, container, and/or hypervisor may subsequently processes file service commands for that file for the FSVM 162 and send corresponding storage access operations to storage devices associated with the file. In some examples, the FSVM may perform these functions itself. The CVM 124 may associate local storage 136 with the file if there is sufficient free space on local storage 136. Alternatively, the CVM 124 may associate a storage device located on another host machine 104, e.g., in local storage 138, with the file under certain conditions, e.g., if there is insufficient free space on the local storage 136, or if storage access operations between the CVM 124 and the file are expected to be infrequent. Files and folders, or portions thereof, may also be stored on other storage devices, such as the network-attached storage (NAS) network-attached storage 110 or the cloud storage 108 of the storage pool 156.

In particular embodiments, a name service 168, such as that specified by the Domain Name System (DNS) Internet protocol, may communicate with the host machines 102, 104, 106 via the network 154 and may store a database of domain names (e.g., host names) to IP address mappings. The domain names may correspond to FSVMs, e.g., fsvm1.domain.com or ip-addr1.domain.com for an FSVM named FSVM-1. The name service 168 may be queried by the user VMs to determine the IP address of a particular host machine (e.g., computing node) 102, 104, 106 given a name of the host machine, e.g., to determine the IP address of the host name ip-addr1 for the host machine 102. The name service 168 may be located on a separate server computer system or on one or more of the host machines 102, 104, 106. The names and IP addresses of the host machines of the VFS 160, e.g., the host machines 102, 104, 106, may be stored in the name service 168 so that the user VMs may determine the IP address of each of the host machines 102, 104, 106, or FSVMs 162, 164, 166. The name of each VFS instance, e.g., FS1, FS2, or the like, may be stored in the name service 168 in association with a set of one or more names that contains the name(s) of the host machines 102, 104, 106 or FSVMs 162, 164, 166 of the VFS 160 instance. The FSVMs 162, 164, 166 may be associated with the host names ip-addr1, ip-addr2, and ip-addr3, respectively. For example, the file server instance name FS1.domain.com may be associated with the host names ip-addr1, ip-addr2, and ip-addr3 in the name service 168, so that a query of the name service 168 for the server instance name “FS1” or “FS1.domain.com” returns the names ip-addr1, ip-addr2, and ip-addr3. As another example, the file server instance name FS1.domain.com may be associated with the host names fsvm-1, fsvm-2, and fsvm-3. Further, the name service 168 may return the names in a different order for each name lookup request, e.g., using round-robin ordering, so that the sequence of names (or addresses) returned by the name service for a file server instance name is a different permutation for each query until all the permutations have been returned in response to requests, at which point the permutation cycle starts again, e.g., with the first permutation. In this way, storage access requests from user VMs may be balanced across the host machines, since the user VMs submit requests to the name service 168 for the address of the VFS instance for storage items for which the user VMs do not have a record or cache entry, as described below.

In particular embodiments, each FSVM may have two IP addresses: an external IP address and an internal IP address. The external IP addresses may be used by SMB/CIFS clients, such as user VMs, to connect to the FSVMs. The external IP addresses may be stored in the name service 168. The IP addresses ip-addr1, ip-addr2, and ip-addr3 described above are examples of external IP addresses. The internal IP addresses may be used for iSCSI communication to CVMs, e.g., between the FSVMs 162, 164, 166 and the CVMs 124, 132, 128. Other internal communications may be sent via the internal IP addresses as well, e.g., file server configuration information may be sent from the CVMs to the FSVMs using the internal IP addresses, and the CVMs may get file server statistics from the FSVMs via internal communication.

Since the VFS 160 is provided by a distributed cluster of FSVMs 162, 164, 166, the user VMs that access particular requested storage items, such as files or folders, do not necessarily know the locations of the requested storage items when the request is received. A distributed file system protocol, e.g., MICROSOFT DFS or the like, may therefore be used, in which a user VM 112 may request the addresses of FSVMs 162, 164, 166 from a name service 168 (e.g., DNS). The name service 168 may send one or more network addresses of FSVMs 162, 164, 166 to the user VM 112. The addresses may be sent in an order that changes for each subsequent request in some examples. These network addresses are not necessarily the addresses of the FSVM 164 on which the storage item requested by the user VM 112 is located, since the name service 168 does not necessarily have information about the mapping between storage items and FSVMs 162, 164, 166. Next, the user VM 112 may send an access request to one of the network addresses provided by the name service, e.g., the address of FSVM 164. The FSVM 164 may receive the access request and determine whether the storage item identified by the request is located on the FSVM 164. If so, the FSVM 164 may process the request and send the results to the requesting user VM 112. However, if the identified storage item is located on a different FSVM 166, then the FSVM 164 may redirect the user VM 112 to the FSVM 166 on which the requested storage item is located by sending a “redirect” response referencing FSVM 166 to the user VM 112. The user VM 112 may then send the access request to FSVM 166, which may perform the requested operation for the identified storage item.

A particular VFS 160, including the items it stores, e.g., files and folders, may be referred to herein as a VFS “instance” and may have an associated name, e.g., FS1, as described above. Although a VFS instance may have multiple FSVMs distributed across different host machines, with different files being stored on FSVMs, the VFS instance may present a single name space to its clients such as the user VMs. The single name space may include, for example, a set of named “shares” and each share may have an associated folder hierarchy in which files are stored. Storage items such as files and folders may have associated names and metadata such as permissions, access control information, size quota limits, file types, files sizes, and so on. As another example, the name space may be a single folder hierarchy, e.g., a single root directory that contains files and other folders. User VMs may access the data stored on a distributed VFS instance via storage access operations, such as operations to list folders and files in a specified folder, create a new file or folder, open an existing file for reading or writing, and read data from or write data to a file, as well as storage item manipulation operations to rename, delete, copy, or get details, such as metadata, of files or folders. Note that folders may also be referred to herein as “directories.”

In particular embodiments, storage items such as files and folders in a file server namespace may be accessed by clients, such as user VMs, by name, e.g., “\Folder-1\File-1” and “\Folder-2\File-2” for two different files named File-1 and File-2 in the folders Folder-1 and Folder-2, respectively (where Folder-1 and Folder-2 are sub-folders of the root folder). Names that identify files in the namespace using folder names and file names may be referred to as “path names.” Client systems may access the storage items stored on the VFS instance by specifying the file names or path names, e.g., the path name “\Folder-1\File-1”, in storage access operations. If the storage items are stored on a share (e.g., a shared drive), then the share name may be used to access the storage items, e.g., via the path name “\\Share-1\Folder-1\File-1” to access File-1 in folder Folder-1 on a share named Share-1.

In particular embodiments, although the VFS may store different folders, files, or portions thereof at different locations, e.g., on different FSVMs, the use of different FSVMs or other elements of storage pool 156 to store the folders and files may be hidden from the accessing clients. The share name is not necessarily a name of a location such as an FSVM or host machine. For example, the name Share-1 does not identify a particular FSVM on which storage items of the share are located. The share Share-1 may have portions of storage items stored on three host machines, but a user may simply access Share-1, e.g., by mapping Share-1 to a client computer, to gain access to the storage items on Share-1 as if they were located on the client computer. Names of storage items, such as file names and folder names, may similarly be location-independent. Thus, although storage items, such as files and their containing folders and shares, may be stored at different locations, such as different host machines, the files may be accessed in a location-transparent manner by clients (such as the user VMs). Thus, users at client systems need not specify or know the locations of each storage item being accessed. The VFS may automatically map the file names, folder names, or full path names to the locations at which the storage items are stored. As an example and not by way of limitation, a storage item's location may be specified by the name, address, or identity of the FSVM that provides access to the storage item on the host machine on which the storage item is located. A storage item such as a file may be divided into multiple parts that may be located on different FSVMs, in which case access requests for a particular portion of the file may be automatically mapped to the location of the portion of the file based on the portion of the file being accessed (e.g., the offset from the beginning of the file and the number of bytes being accessed).

In particular embodiments, VFS 160 determines the location, e.g., FSVM, at which to store a storage item when the storage item is created. For example, a FSVM 162 may attempt to create a file or folder using a CVM 124 on the same host machine 102 as the user VM 114 that requested creation of the file, so that the CVM 124 that controls access operations to the file folder is co-located with the user VM 114. While operations with a CVM are described herein, the operations could also or instead occur using a hypervisor and/or container in some examples. In this way, since the user VM 114 is known to be associated with the file or folder and is thus likely to access the file again, e.g., in the near future or on behalf of the same user, access operations may use local communication or short-distance communication to improve performance, e.g., by reducing access times or increasing access throughput. If there is a local CVM on the same host machine as the FSVM, the FSVM may identify it and use it by default. If there is no local CVM on the same host machine as the FSVM, a delay may be incurred for communication between the FSVM and a CVM on a different host machine. Further, the VFS 160 may also attempt to store the file on a storage device that is local to the CVM being used to create the file, such as local storage, so that storage access operations between the CVM and local storage may use local or short-distance communication.

In some examples, if a CVM is unable to store the storage item in local storage of a host machine on which an FSVM resides, e.g., because local storage does not have sufficient available free space, then the file may be stored in local storage of a different host machine. In this case, the stored file is not physically local to the host machine, but storage access operations for the file are performed by the locally-associated CVM and FSVM, and the CVM may communicate with local storage on the remote host machine using a network file sharing protocol, e.g., iSCSI, SAMBA, or the like.

In some examples, if a virtual machine, such as a user VM 112, CVM 124, or FSVM 162, moves from a host machine 102 to a destination host machine 104, e.g., because of resource availability changes, and data items such as files or folders associated with the VM are not locally accessible on the destination host machine 104, then data migration may be performed for the data items associated with the moved VM to migrate them to the new host machine 104, so that they are local to the moved VM on the new host machine 104. FSVMs may detect removal and addition of CVMs (as may occur, for example, when a CVM fails or is shut down) via the iSCSI protocol or other technique, such as heartbeat messages. As another example, a FSVM may determine that a particular file's location is to be changed, e.g., because a disk on which the file is stored is becoming full, because changing the file's location is likely to reduce network communication delays and therefore improve performance, or for other reasons. Upon determining that a file is to be moved, VFS 160 may change the location of the file by, for example, copying the file from its existing location(s), such as local storage 136 of a host machine 102, to its new location(s), such as local storage 138 of host machine 104 (and to or from other host machines, such as local storage 140 of host machine 106 if appropriate), and deleting the file from its existing location(s). Write operations on the file may be blocked or queued while the file is being copied, so that the copy is consistent. The VFS 160 may also redirect storage access requests for the file from an FSVM at the file's existing location to a FSVM at the file's new location.

In particular embodiments, VFS 160 includes at least three File Server Virtual Machines (FSVMs) 162, 164, 166 located on three respective host machines 102, 104, 106. To provide high-availability, in some examples, there may be a maximum of one FSVM for a particular VFS instance VFS 160 per host machine in a cluster. If two FSVMs are detected on a single host machine, then one of the FSVMs may be moved to another host machine automatically in some examples, or the user (e.g., system administrator) may be notified to move the FSVM to another host machine. The user may move a FSVM to another host machine using an administrative interface that provides commands for starting, stopping, and moving FSVMs between host machines.

In some examples, two FSVMs of different VFS instances may reside on the same host machine. If the host machine fails, the FSVMs on the host machine become unavailable, at least until the host machine recovers. Thus, if there is at most one FSVM for each VFS instance on each host machine, then at most one of the FSVMs may be lost per VFS per failed host machine. As an example, if more than one FSVM for a particular VFS instance were to reside on a host machine, and the VFS instance includes three host machines and three FSVMs, then loss of one host machine would result in loss of two-thirds of the FSVMs for the VFS instance, which may be more disruptive and more difficult to recover from than loss of one-third of the FSVMs for the VFS instance.

In some examples, users, such as system administrators or other users of the system and/or user VMs, may expand the cluster of FSVMs by adding additional FSVMs. Each FSVM may be associated with at least one network address, such as an IP (Internet Protocol) address of the host machine on which the FSVM resides. There may be multiple clusters, and all FSVMs of a particular VFS instance are ordinarily in the same cluster. The VFS instance may be a member of a MICROSOFT ACTIVE DIRECTORY domain, which may provide authentication and other services such as name service.

In some examples, files hosted by a virtualized file server, such as the VFS 160, may be provided in shares—e.g., SMB shares and/or NFS exports. SMB shares may be distributed shares (e.g., home shares) and/or standard shares (e.g., general shares). NFS exports may be distributed exports (e.g., sharded exports) and/or standard exports (e.g., non-sharded exports). A standard share may in some examples be an SMB share and/or an NFS export hosted by a single FSVM (e.g., FSVM 162, FSVM 164, and/or FSVM 166 of FIG. 1A). The standard share may be stored, e.g., in the storage pool in one or more volume groups and/or vDisks and may be hosted (e.g., accessed and/or managed) by the single FSVM. The standard share may correspond to a particular folder (e.g., \\enterprise\finance may be hosted on one FSVM, \\enterprise\hr on another FSVM). In some examples, distributed shares may be used which may distribute hosting of a top-level directory (e.g., a folder) across multiple FSVMs. So, for example, \\enterprise\users\ann and \\enterprise\users\bob may be hosted at a first FSVM, while \\enterprise\users\chris and \\enterprise\users\dan are hosted at a second FSVM. In this manner a top-level directory (e.g., \\enterprise\users) may be hosted across multiple FSVMs. This may also be referred to as a sharded or distributed share (e.g., a sharded SMB share). As discussed, a distributed file system protocol, e.g., MICROSOFT DFS or the like, may be used, in which a user VM may request the addresses of FSVMs 162, 164, 166 from a name service (e.g., DNS).

Accordingly, systems described herein may include one or more virtual file servers, where each virtual file server may include a cluster of file server VMs and/or containers operating together to provide a file system. Examples of systems described herein may include a file analytics system that may collect, monitor, store, analyze, and report on various analytics associates with the virtual file server(s). By providing a file analytics system, system administrators may advantageously find it easier to manage their files stored in a distributed file system, and may more easily gain, understand, protect and utilize insights about the stored data and/or the usage of the file system over time. Examples of file analytics systems are described using an analytics virtual machine (an analytics VM), however, it is to be understood that the analytics VM may be implemented in various examples using one or more virtual machines and/or one or more containers. The analytics VM may be hosted on one of the computing nodes of the virtualized file server, or may be hosted on a computing node external to the virtualized file server.

The analytics VM 170 may retrieve, organize, aggregate, and/or analyze information corresponding to a file system. The information may be stored in an analytics datastore. The analytics VM 170 may query or monitor the analytics datastore to provide information to an administrator in the form of display interfaces, reports, and alerts/notifications. As shown in FIG. 1A, the analytics VM 170 may be hosted on the computing node 102. Without departing from the scope of the disclosure, the analytics VM 170 may be hosted on any computing node, including the computing nodes 104 or 106, or a node external to the virtualized file server. In some examples, the analytics VM 170 may be provided as a hosted analytics system on a computing system and/or platform in communication with the VFS 160. For example, the analytics VM 170 may be provided as a hosted analytics system in the cloud—e.g., provided on one or more cloud computing platforms.

In some examples, the analytics VM 170 may perform various functions that are split into different containerized components using a container architecture and container manager. For example, the analytics VM 170 may include three containers—(1) a message bus (e.g., Kafka server), (2) an analytics data engine (e.g., Elastic Search), and (3) an API server, which may host various processes. During operation, the analytics VM 170 may perform multiple functions related to information collection, including a metadata collection process to receive metadata associated with the file system, a configuration information collection process to receive configuration and user information from the VFS 160, and an event data collection process to receive event data from the VFS 160.

The metadata collection process may include gathering the overall size, structure, owners, and storage locations of the VFS 160 and/or parts of the file system managed by the VFS 160, as well as details for one or more (e.g., each) data item (e.g., file, folder, directory, share, etc.) in the VFS 160 and/or other metadata associated with the VFS 160. In some examples, the metadata collection process (e.g., the analytics VM 170) may use a snapshot of the overall VFS 160 to receive the metadata from the VFS 160 which represents a point in time state of files on the VFS 160, such as a snapshot provided by a disaster recovery application of the VFS 160. For example, the analytics VM 170 may mount a snapshot of the VFS 160 to scan the file system to retrieve metadata from the VFS 160. In some examples, the analytics VM 170 may communicate directly with each of the FSVMs 162, 164, 166 of the VFS 160 during the metadata collection process to retrieve respective portions of the metadata. In some examples, during the metadata scan, the VFS 160 the analytics VM 170, or another service, process, or application hosted or running on one or more of the computing nodes 102, 104, 106 may add a checkpoint or marker (e.g., index) after every completed metadata transaction to indicate where it left off. The checkpoint may allow the analytics VM 170 to return to the checkpoint to resume the scan should the scan be interrupted for some reason. Without the checkpoint, the metadata scan may start anew, creating duplicate metadata records in the events log that need to be resolved.

In some examples, the analytics VM 170 may make an initial snapshot scan of the VFS 160 to obtain initial metadata concerning the file system (e.g., number of files, directories, file names, file sizes, file owner ID and/or name, file permissions (e.g., access control lists, etc.)) using the FSVM1-3 snapshots 172, 174, 176. The analytics tool 170 may provide an API call (e.g., SMB ACL call) to the VFS 160 to retrieve owner usernames and/or ACL permission information based on the owner identifier and the ACL identifier.

For example, the metadata collection process (e.g., executed by an analytics VM) may mount one or more of the snapshots 172, 174, 176 of the VFS 160 to scan the file system to retrieve metadata of the file system managed by the VFS 160. Each snapshot may represent a state of the file system managed by the VFS 160 at a point in time. The analytics VM 170 may use the information gathered from the one or more snapshots to develop a comprehensive picture of the file system managed by the VFS 160 at a point in time, as well as to derive events by comparing successive snapshots.

In some examples, the snapshots may be provided by a disaster recovery application of the VFS 160. For example, the FSVM 162 may generate FSVM1 snapshots 172, the FSVM 164 may generate FSVM2 snapshots 174, and the FSVM 166 may generate FSVM3 snapshots 176. While an example of the FSVM generating the snapshots is provided, the snapshots may be generated by other processes in other examples (e.g., a disaster recovery process, a management process, or other component running on or in communication with the VFS 160).

In some examples, the analytics VM 170 may mount one or more of the snapshots 172, 174, 176 of the VFS 160 to obtain metadata of the file system managed by the VFS 160. In some examples, the analytics VM 170 may communicate directly with each of the FSVMs 162, 164, 166 of the VFS 160 during the metadata collection process to retrieve respective portions of the metadata from the snapshots. In some examples, the metadata collection processes performed by the analytics VM, e.g., analytics VM 170, may include a multi-threaded breadth-first search (BFS) that involves performing parallel threaded file system scanning. The parallel threaded file system scanning may include parallel scanning of different shares, parallel scanning of different folders of a common share, or any combination thereof. In some examples, the metadata collection process may implement a parallel BFS with level order traversal of a directory tree to collect metadata. Level order traversal may include processing a directory tree one level at a time. For example, starting with a top-level directory, a first level of a directory tree is processed before moving onto a next level a next level of the directory tree. The level order traversal includes a current queue, which includes each item in the level of the directory tree currently being processed, and a next queue, which includes children of the level of the directory tree currently being processed. When processing of the current queue is completed, the current queue may be loaded with the next queue entries. By performing level order traversal, a size of the two queues may be more manageable, as compared with a system where every item from a directory tree being loaded into a single queue. The parallel BFS may include starting a thread on each level, and letting processing of all the data items on that level get complete in the current queue before making a move to the next or child queue.

In some examples, during the metadata scan, the VFS 160 and/or the analytics VM 170, or another service, process, or application hosted or running on one or more of the computing nodes 102, 104, 106 may add a checkpoint or marker (e.g., index) after every completed metadata transaction (e.g., after completing a scan of a level of a directory tree or a scan of a share) to indicate where it left off. In some examples, when processing of the current queue is complete, the current queue may be stored as the checkpoint before loading the next queue into the current queue. The checkpoint may allow the analytics VM 170 to return to the checkpoint to resume the scan should the scan be interrupted for some reason. Without the checkpoint, the metadata scan may start anew, creating duplicate metadata records in the events log that need to be resolved.

In some examples, the analytics VM 170 may make an initial snapshot scan of the VFS 160 to obtain initial metadata concerning the file system (e.g., number of files, directories, file names, file sizes, file owner ID and/or name, file permissions(e.g., access control lists, etc.)) using the FSVM1-3 snapshots 171, 173, 175. The analytics tool 170 may provide an API call (e.g., SMB ACL call) to the VFS 160 to retrieve owner usernames and/or ACL permission information based on the owner identifier and the ACL identifier.

Subsequent metadata may be obtained by mounting snapshots periodically and extracting metadata from the snapshots. By using snapshots to collect metadata, the analytics VM 170 may avoid or reduce the instances of scanning the file system itself during file system operation, which may in some examples slow or otherwise interfere with file system operation.

For disaster recovery, the FSVMs 162, 164, and 166 or another component (e.g., application, process, and/or service) of the VFS 160 or of the distributed computing system or in communication with the distributed computing system 100 (e.g., computing node, an administrative system, a storage controller, the CVMs 124, 132, 128, the hypervisors 130, 132, 134, etc.) may periodically generate new, updated FSVM1-3 snapshots 172, 174, 176, respectively, of the file system to aid in disaster recovery over time. In some examples, in addition to use of individual ones of the FSVM1-3 snapshots 172, 174, and 176 to determine a state of the file system at a point in time, the analytics VM 170 may compare different versions of the FSVM1-3 snapshots 172, 174, 176 to detect metadata differences, and then may use those detected metadata differences to derive event data. For example, if the metadata of a first snapshot of the FSVM1 snapshots 172 indicates that a particular share has a first size and the metadata of a second snapshot of the FSVM1 snapshots 172 indicates that the particular share has a second size, the analytics VM 170 may generate an event that the size of the particular file was changed from the first size to the second size. Other types of events may be derived by the analytics VM 170 if a metadata comparison between two snapshots reveals that a file/folder/share/directory/etc. is added, removed, moved, or some other change has taken place.

In some examples, the shares of the file system managed by the VFS 160 may be sharded (e.g., distributed across multiple FSVMs 162, 164, 166), which may impact capturing of a complete set of metadata for the file system. FIG. 1B illustrates an example hierarchical structure 101 of a portion of the VFS 160 according to particular embodiments. Portions of a share 191 of the VFS 160 may be distributed or sharded across the FSVM 162 and the FSVM 164. As shown, the FSVM 161 may manage a first directory (e.g., a folder-1 192 and a file-1 193) and a second directory (e.g., a folder-2 194, a folder-3 195, and a file-2 196) of the share 191. The FSVM 162 may manage a third directory (e.g., a folder-4 197 and a file-3 198) of the share 191. Thus, when the FSVM1 snapshot 172 is generated, it may not include the metadata details for the third branch structure managed by the FSVM 164. Similarly, when the FSVM2 snapshot 174 is generated, it may not include the metadata details for the first and second directories managed by the FSVM 162. In some examples, the FSVM1 snapshot 172 may include a pointer or some other indicator (e.g., a FSVM identifier) of the presence of the third directory branch structure managed by the FSVM 164. Similarly, the FSVM2 snapshot 174 may include a pointer or some other indicator (e.g., a FSVM identifier) of the presence of the first and second directories managed by the FSVM 162.

Thus, as part of the metadata collection process, a distributed file protocol, e.g., DFS, may be used to obtain a collection of FSVM identifiers (e.g., IP addresses) to be mounted to access the full share 191. However, in some examples, the analytics VM 170 may be implemented using a Linux client or other client that may not support DFS referrals or other distributed file protocol to obtain identification of which FSVMs host which files (e.g., which shares). Typically, files may be sharded across multiple FSVMs based on their top-level directory (e.g., an initial folder such as \\enterprise\hr in the file system may include files and/or lower level folders stored across multiple FSVMs).

Accordingly, if the FSVM1 snapshot 172 for a portion of a share hosted by the FSVM 162 is mounted, the analytics VM 170 may identify all folders (e.g., top-level directories), but not all data for the share may be available via the FSVM1 snapshot 172. Rather, some of the data may be hosted on other FSVMs 164 or 166, and stored in the FSVM2 snapshots 174 or the FSVM3 snapshots 176. In some examples, the analytics VM 170 may map top-level directories to the FSVM 162, 164, and/or 166 using the snapshots 172, 174, 176, and then may use that information to traverse those directories. So, for example, the analytics VM 170 may identify that the FSVM 162 and the FSVM 164 may host a particular top-level directory (e.g., share 191 of FIG. 1B) when scanning the FSVM1 snapshot 172 or the FSVM2 snapshot 174. In order to scan all of the metadata for that top-level directory, the other of the FSVM1 snapshot 172 or the FSVM2 snapshot 174 may be accessed and scanned to retrieve the rest of the data. In this manner, all data in the top-level directory (e.g., across a distributed SMB share) may be scanned by the analytics VM 170, even without use of a DFS Referral. The metadata retrieved during the metadata collection process may be used to present information about the VFS 160 to a user via a user interface or via a report. The metadata may also be used to analyze event data, and to present recommendations to an administrator. For example, the analytics VM 170 may compare access history for a share with an ACL assigned to the share to recommend a change in the ACL based on the access history.

To capture configuration information, the analytics VM 170 may use an application programming interface (API) architecture to request the configuration information from the VFS 160. The API architecture may include representation state transfer (REST) API architecture. The configuration information may include user information, a number of shares, deleted shares, created shares, etc. In some examples, the analytics VM 170 may communicate directly with the leader FSVM of the FSVMs 162, 164, 166 of the VFS 160 to collect the configuration information. In some examples, the analytics VM 170 may communicate directly with another component (e.g., application, process, and/or service) of the VFS 160 or of the distributed computing system 100 (e.g., one or more storage controllers, virtualization managers, the CVMs 124, 132, 128, the hypervisors 130, 132, 134, etc.) to collect the configuration information. In some examples, the analytics VM 170 may communicate directly with another component (e.g., application, process, and/or service) of the VFS 160 or of the distributed computing system or in communication with the distributed computing system 100 (e.g., computing node, an administrative system, a storage controller, the CVMs 124, 132, 128, the hypervisors 130, 132, 134, etc.) to collect the configuration information.

To capture event data, the analytics VM 170 may interface with the VFS 160 using a messaging system (e.g., publisher/subscriber message system) to receive event data for storage in the analytics datastore. That is, the analytics VM 170 may subscribe to one or more message topics related to activity of the VFS 160. The VFS 160 may include or may be associated with an audit framework with a connector publisher that is configured to publish the event data for consumption by the analytics VM 170. For example, the FSVMs 162, 164, 166 of the VFS 160 may each include or may be associated with a respective audit framework 163, 165, 167 with a connector publisher that may publish the event data for consumption by the analytics VM 170. In some examples, while the audit framework 163, 165, 167 for each FSVM 162, 164, 166 is depicted as being part of the FSVMs 162, 164, 166, the audit framework 163, 165, 167 may be hosted another component (e.g., application, process, and/or service) of the VFS 160 or of the distributed computing system 100 (e.g., one or more storage controller(s), the CVMs 124, 132, 128, the hypervisors 130, 132, 134, etc.) without departing from the scope of the disclosure. The audit framework generally refers to one or more software components which may be provided to collect, store, analyze, and/or transmit audit data (e.g., data regarding events in the file system). The CVMs 124, 126, 128 (and/or hypervisors or other containers) may host a message service configured to route messages between publishers and subscribers/consumers over a message bus. The event data may include data related to various operations performed with the VFS 160, such as adding, deleting, moving, modifying, etc., a file, folder, directory, share, etc., within the VFS 160. The event information may indicate an event type (e.g., add, move, delete, modify, a user associated with the event, an event time, etc. In some examples, once an event is written to the analytics datastore, it is not able to be modified. In some examples, the analytics VM 170 may be configured to aggregate multiple events into a single event for storage in the analytics datastore 190. For example, if a known task (e.g., moving a file) results in generation of a predictable sequence of events, the analytics VM 170 may aggregate that sequence into a single event.

In some examples, the analytics VM 170 and/or the corresponding VFS 160 may include protections to prevent event data from being lost. In some examples, the VFS 160 may store event data until it is consumed by the analytics VM 170. For example, if the analytics VM 170 (e.g., or the message system) becomes unavailable, the VFS 160 may persistently store the event data until the analytics VM 170 (e.g., or the message system) becomes available.

To support the persistent storage, as well as provision of the event data to the analytics VM 170, the FSVMs 162, 164, 166 of the VFS 160 may each include or be associated with the audit framework that includes a dedicated event log (e.g., tied to a FSVM-specific volume group) that is capable of being scaled to store all event data and/or metadata for a particular FSVM until successfully sent to the analytics VM 170. In some examples, the audit framework for each FSVM 162, 164, 166 may be hosted by another component (e.g., application, process, and/or service) of the VFS 160 or of the distributed computing system or in communication with the distributed computing system 100 (e.g., computing node, an administrative system, a storage controller, the CVMs 124, 132, 128, the hypervisors 130, 132, 134, etc.)

For example, each respective audit framework 163, 165, 167 may manage a separate respective event log via a separate volume group (e.g., the audit framework 163 manages the volume group 1 (VG1) event log 171, the audit framework 165 manages the volume group 2 (VG2) event log 173, and the audit framework 167 manages the volume group 3 (VG3) event log 175). The VG1-3 event logs 171, 173, and 175 may each be capable of being scaled to store all event data and/or metadata for parts of the VFS 160 that are managed by the respective FSVM 162, 164, 166. In some examples, the data may be persisted (e.g., maintained) until successfully provided to the analytics VM 170. While the VG1-3 event logs 171, 173, 175 are each shown in the respective local storages 136, 138, and 140, the VG1-3 event logs 171, 173, 175 may be maintained anywhere in the storage pool 170 without departing from the scope of the disclosure.

In some examples, if one of the FSVMs 162, 164, or 166 fails, the failed FSVM may be migrated to another one of the computing nodes 102, 104, or 106. In addition, the audit framework 163, 165, or 167 associated with the failed FSVM may also migrate over to the same computing node as the failed FSVM, and may continue updating the same VG1-3 event log 171, 173, or 175 based on the write index. FIG. 1C is a schematic illustration of the distributed computing system 100 of FIG. 1A showing a failover of a failed FSVM in accordance with examples described herein. As shown in FIG. 1C, the FSVM 162 has failed. In response to failure of the FSVM 162, the FSVM 162 may be migrated to the computing node 104 as FSVM 162 a. In addition, the audit framework 163 may be migrated to the computing node 104 as the audit framework 163 a. The FSVM 162 may mount the VG1 event log 171 to continue updating the event log based on a write index established by the audit framework 163. In some examples, rather than migrating as a separate VM, the file server VM 162's role may be assumed by the file server VM 164 and/or another file server. For example, responsive to failure of the FSVM 162, the FSVM 164 or an audit framework associated with the FSVM 164 may manage the VG1 event log 171. The VG1 event log 171 may be migrated to a volume group of the FSVM 164 and/or may otherwise be made accessible to the FSVM 164 and/or an audit framework associated with the FSVM 164.

Turning back to FIG. 1A, the audit framework (e.g., each audit framework 163, 165, and/or 167) may include an audit queue, an event logger, an event log, and a service connector. The audit queue may be configured to receive event data and/or metadata from the VFS 160 via network file server or server message block server communications, and to provide the event data and/or metadata to the mediator (e.g., event logger). The event logger may be configured to store the received event data and/or metadata from the audit queue, as well as retrieve requested event data and/or metadata from the event log in response to a request from the service connector. The service connector may be configured to communicate with other services (e.g., such as a message topic broker of the analytics VM 170) to respond to requests for provision of event data and/or metadata, as well as receive acknowledgments when event data and/or metadata are successfully received by the analytics VM 170. The events in the event log may be uniquely identified by a monotonically increasing sequence number, will be persisted to an event log and will be read from it when requested by the service connector.

The event logger may coordinate all of the event data and/or metadata writes and reads to and from the event log, which may facilitate the use of the event log for multiple services. The event logger may keep the in-memory state of the write index in the event log, and may persist it periodically to a control record (e.g., a master block). When the audit framework is started or restarted, the master record may be read to set the write index.

Multiple services may be able to read from an event log (e.g., the VG1-3 event logs 171, 173, 175) via their own service connectors (e.g., Kafka connectors). A service connector may have the responsibility of sending event data and metadata to the requesting service (e.g., such as the message topic broker of the analytics VM 170) reliably, keeping track of its state, and reacting to its failure and recovery. Each service connector may be tasked with persisting its respective read index, as well as being able to communicate the respective read index to the event logger when initiating an event read. The service connector may increment the in-memory read index only after receiving acknowledgement from its corresponding service and will periodically persist in-memory state. The persisted read index value may be read at start/restart (e.g., or after a service interruption) and used to set the in-memory read index to a value from which to start reading from. In some examples, when an event data record is read from the event log by a particular service, the event logger may stop maintenance of the event data record (e.g., allow it to be overwritten or removed from the event log).

During service start/recovery, service connector may detect its presence and initiate an event read by communicating the read index to the event logger to read from the event log as part of the read call. The event logger may use the read index to find the next event to read and send to the requesting service (e.g., message topic broker of the analytics VM 170) via the service connector.

The analytics VM 170 and/or the VFS 160 may further include architecture to prevent event data from being processed out of chronological order. For example, the service connector and/or the requesting service may keep track of message sequence number it has seen before failure, and may ignore any messages which have sequence number less than and equal to the sequence it has seen before failure. An exception may be raised by the message topic broker of the requesting service if the event log does not have the event for the sequence number expected by the service connector or if the message topic broker indicates that it has received a message with a sequence number that is not consecutive. In order to use the same event log for other services, a superset of all the proto fields will be taken to create a common format for event record. The service connector will be responsible for filtering the required fields to get the ones it needs.

As previously discussed, the audit framework and event log may be tied to a particular FSVM in its own volume group. Thus, if a FSVM is migrated to another computing node, the event log may move with the FSVM and be maintained in the separate volume group from event logs of other FSVMs.

In some examples, the VFS 160 may be configured with denylist policies to denylist or prevent certain types of events from being analyzed and/or sent to the analytics VM 170, such as specific event types, events corresponding to a particular user, events corresponding to a particular client IP address, events related to certain file types, or any combination thereof. The denylisted events may be provided from the VFS 160 to the analytics VM 170 in response to an API call from the analytics VM 170. In addition, the analytics VM 170 may include an interface that allows a user to request and/or update the denylist policy, and send the updated denylist policy to the VFS 160. In some examples, the analytics VM 170 may be configured to process multiple channels of event data in parallel, while maintaining integrity and sequencing of the event data such that older event data does not overwrite newer event data.

In some examples, the analytics VM 170 may perform the metadata collection process in parallel with receipt of event data via the messaging system. The analytics VM 170 may reconcile information captured via the metadata collection process with event data information to prevent older data from overwriting newer data. In cases of reconciliation of the file system state caused by triggering an on demand scan, the state of the files index may be updated by both the event flow process and the scan process. To avoid the race condition, and maintain data integrity, when a metadata record corresponding to a storage item is received, the events processor may determine if any records for the storage item exist, and if so, may decline to update those records. If no records exist, then the events processor may add a record for the storage item.

The analytics VM 170 may process the metadata, the event data, and the configuration information to populate the analytics datastore 190. The analytics datastore 190 may include an entry for each item in the VFS 160. In some examples, the event data and the metadata may include a unique user identifier that ties back to a user, but is not used outside of the event data generation. In some examples, the analytics VM 170 may retrieve a user ID-to-username relationship from an active directory of the VFS 160 by connecting to a lightweight directory access protocol (LDAP) (e.g., for SMB, perform LDAP search on configured active directory, or on NFS, perform PDAP search on configured active directory or execute an API call if RFC2307 is not configured). In addition, rather than requesting a username or other identifier associated with the unique user identifier for every event, the analytics VM 170 may maintain a username-to-unique user identifier conversion table (e.g., stored in cache) for at least some of the unique user identifiers, and the username-to-unique user identifier conversion table may be used to retrieve a username, which may reduce traffic and improve performance of the VFS 160. Any to provide user context for active directory enabled SMB shares may help an administrator understand which user performed which operation as well as ownership of the file.

The analytics VM 170 may generate reports, including standard or default reports and/or customizable reports. The reports may be related to aggregate and/or specific user activity; aggregate file system activity; specific file, directory, share, etc., activity; etc.; or any combination of thereof. If multiple report requests are submitted at a same time and/or during at least partially overlapping times, examples of the analytics VM may queue report requests and process the requests sequentially and/or partially sequentially. The status of report requests in the queue may be displayed (e.g., queued, processing, completed, etc.). In some examples, the analytics VM 170 may manage and facilitate administrator-set archival policies, such as time-based archival (e.g., archive data based on a last-accessed data being greater than a threshold), storage capacity-based archival (e.g., archiving certain data when available storage falls below a threshold), or any combination thereof.

In some examples, the analytics VM 170 may be configured to analyze the received event data to detect irregular, anomalous, and/or malicious activity within the file system. For example, the analytics VM 170 may detect malicious software activity (e.g., ransomware) or anomalous user activity (e.g., deleting a large amount of files, deleting a large share, etc.).

In some examples, in order to obtain metadata and/or events data regarding the file server, the analytics VM 170 may mount one or more shares managed by the VFS 160 and/or snapshots of shares managed by the VFS 160. Recall that in some examples shares may be sharded (e.g., distributed across multiple FSVMs). A distributed file protocol, e.g., DFS, may be used to obtain a collection of FSVM IDs (e.g., IP addresses) to be mounted to access the full share. However, in some examples, the analytics VM 170 may be implemented using a Linux client or other client that may not support DFS referrals or other distributed file protocol to obtain identification of which FSVMs host which files (e.g., which shares). Typically, files may be sharded across multiple FSVMs based on their top-level directory (e.g., an initial folder such as \\enterprise\hr in the file system may include files and/or lower level folders stored across multiple FSVMs).

Accordingly, if a snapshot 176 of a share hosted by FSVM 166 is mounted, the analytics VM 170 may identify all folders (e.g., top-level directories), but not all data may be seen as some of the data may be hosted on other FSVMs. In some examples, the analytics VM 170 may identify top-level directories are on which FSVMs and traverse those directories. So, for example, the analytics VM 170 may identify that FSVM 166 and FSVM 164 may host a particular top-level directory, and in order to scan metadata for that top-level directory, snapshots for both FSVMs may be accessed and scanned. In this manner, all data in the top-level directory (e.g., across a distributed SMB share) may be scanned by the analytics VM 170, even without use of a DFS Referral.

FIG. 2A illustrates a clustered virtualization environment 200 implementing a virtualized file server (VFS) 260 and an analytics VM 270 according to particular embodiments according to particular embodiments. The analytics VM 270 may retrieve, organize, aggregate, and/or analyze information corresponding to the VFS 260 in an analytics datastore. The VFS 160 and/or the analytics VM 170 of FIG. 1A and/or 1C may be used to implement the VFS 260 and/or the analytics VM 270, respectively. The architecture of FIG. 2A can be implemented using a distributed platform that contains a cluster 201 of multiple host machines 202, 204, and 206 that manage a storage pool, which may include multiple tiers of storage. While the analytics VM 270 is shown as part of the clustered virtualization environment 200, in some examples the analytics VM 270 may be provided as a hosted cloud solution, e.g., provided by one or more cloud computing platforms and in communication with the clustered virtualization environment 200, e.g., with the VFS 260.

Each host machine (e.g., computing node)202, 204, 206 may run virtualization software which may create, manage, and destroy user VMs and/or containers, as well as managing the interactions between the underlying hardware and user VMs.

In particular embodiments, the VFS 260 provides file services to user VMs, such as storing and retrieving data persistently, reliably, and efficiently. The VFS 260 may include a set of FSVMs 262, 264, and 266 that execute on host machines 202, 204, and 206 and process storage item access operations requested by user VMs.

The analytics VM 270 may include an application layer 274 and an analytics platform 290. The application layer 274 may include components such an events processor 280, an alert and notification component 281, a visualization component 282, a policy management layer 283, an API layer 284, a machine learning service 285, a query layer 286, a security layer 287, a monitoring service 288, and an integration layer 289. Each layer may be implemented using software which may perform the described functions and may interact with other layers.

In some examples, the analytics platform 290, leveraging components of the application layer 274 may perform various functions that are split into different containerized components using a container architecture and container manager (e.g., an analytics datastore 292, a data ingestion engine 294, and a data collection framework 296). The integration layer 289 may integrate various components of the application layer 274 with components of the analytics platform 290.

During operation, the analytics VM 270 may perform multiple processes related to information collection, including a metadata collection process to receive metadata associated with the file system, a configuration information collection process to receive configuration and user information from the VFS 260, and an event data collection process to receive event data from the VFS 260. The data collection framework 296 may manage the metadata collection process and the configuration information collection process and the data ingestion engine 294 may manage capturing the event data.

The metadata collection process may include gathering the overall size, structure, and storage locations of parts of the file system managed by the VFS 260, as well as details for each data item (e.g., file, folder, directory, share, owner information, permission information, etc.) in the VFS 260. As part of the metadata collection process, the analytics VM 270 may mount one or more of the snapshots of the VFS 260 to retrieve metadata of the file system managed by the VFS 260. Each snapshot may represent a state of the file system managed by the VFS 260 at a point in time. The analytics VM 270 may use the information from the one or more snapshots to develop a comprehensive picture of the file system managed by the VFS 260 at a point in time. The analytics VM 270 may additionally or instead derive events by comparing successive snapshots. In some examples, the snapshots may be provided by a disaster recovery application of the VFS 260. For example, the FSVM 262 may generate FSVM1 snapshots, the FSVM 264 may generate FSVM2 snapshots, and the FSVM 266 may generate FSVM3 snapshots 275. While an example of the FSVM generating the snapshots is provided, the snapshots may be generated by other processes in other examples (e.g., a disaster recovery process, a management process, or other component running on or in communication with the VFS 260).

In some examples, the snapshots may be differential snapshots, in that the snapshots may only indicate files, directories, or other aspects of a share or of the file system that had changed since the last snapshot. Accordingly, in some examples, the analytics VM 270 may access the snapshot to determine which files, directories, shares, or other items had changed since a previous snapshot, and may access and obtain metadata from those updated items on the file server. This may reduce or eliminate a need to access and obtain metadata from all items on the file server at regular intervals. Instead, only changed items may be accessed to obtain updated metadata in some examples.

In some examples, the analytics VM 270 may mount one or more of the snapshots of the VFS 260 to retrieve metadata of the file system managed by the VFS 260. In some examples, the analytics VM 270 may communicate directly with each of the FSVMs 262, 264, 266 of the VFS 260 during the metadata collection process to retrieve respective portions of the metadata from the snapshots. In some examples, the metadata collection processes performed by the analytics VM 270 may include a multi-threaded breadth-first search (BFS) that involves performing parallel threaded file system scanning. The parallel threaded file system scanning may include parallel scanning of different shares, parallel scanning of different folders of a common share, or any combination thereof. In some examples, the metadata collection process may implement a parallel BFS with level order traversal of a directory tree to collect metadata. Level order traversal may include processing a directory tree one level at a time. For example, starting with a top-level directory, a first level of a directory tree is processed before moving onto a next level a next level of the directory tree. The level order traversal includes a current queue, which includes each item in the level of the directory tree currently being processed, and a next queue, which includes children of the level of the directory tree currently being processed. When processing of the current queue is completed, the current queue may be loaded with the next queue entries. By performing level order traversal, a size of the two queues may be more manageable, as compared with a system where every item from a directory tree being loaded into a single queue. The parallel BFS may include starting a thread on each level, and letting processing of all the data items on that level get complete in the current queue before making a move to the next or child queue.

In some examples, during the metadata scan, the VFS 260, the analytics VM 270, or another service, process, or application hosted or running on one or more of the computing nodes 202, 204, 206, or in communication with the distributed system, may add a checkpoint or marker (e.g., index) after every completed metadata transaction to indicate where it left off. In some examples, when processing of the current queue is complete, the current queue may be stored as the checkpoint before loading the next queue into the current queue. The checkpoint may allow the analytics VM 270 to return to the checkpoint to resume the scan should the scan be interrupted for some reason. Without the checkpoint, the metadata scan may start anew, creating duplicate metadata records in the events log that need to be resolved.

In some examples, the analytics VM 270 may make an initial snapshot scan of the VFS 260 to obtain initial metadata concerning the file system (e.g., number of files, directories, file names, file sizes, file owner ID and/or name, file permissions (e.g., access control lists, etc.)) using the FSVM1-3 snapshots. The analytics tool 270 may provide an API call (e.g., SMB ACL call) to the VFS 260 to retrieve owner usernames and/or ACL permission information based on the owner identifier and the ACL identifier.

For disaster recovery, the FSVMs 262, 264, and 266 or another component (e.g., application, process, and/or service) of or in communication with the VFS 260 or of the clustered virtualization environment or in communication with the clustered virtualization environment 200 (e.g., computing node, administrative system, storage controller, CVMs, hypervisors, etc.) may periodically generate new, updated FSVM1-3 snapshots, respectively, of the file system to aid in disaster recovery over time. In some examples, in addition to use of individual ones of the FSVM 1-3 snapshots to determine a state of the file system at a point in time, the analytics VM 270 may compare different versions of the FSVM1-3 snapshots to detect metadata differences, and then may use those detected metadata differences to derive event data. For example, if the metadata of a first snapshot of the FSVM1 snapshots indicates that a particular share has a first size and the metadata of a second snapshot of the FSVM1 snapshots indicates that the particular share has a second size, the analytics VM 270 may generate an event that the size of the particular file was changed from the first size to the second size. Other types of events may be derived by the analytics VM 270 if a metadata comparison between two snapshots reveals that a file/folder/share/directory/etc. is added, removed, moved, or some other change has taken place.

In some examples, the shares of the file system managed by the VFS 260 may be sharded (e.g., distributed across multiple FSVMs 262, 264, 266), which may impact capturing of a complete set of metadata for the file system. Thus, as part of the metadata collection process, a distributed file protocol, e.g., DFS, may be used to obtain a collection of FSVM IDs (e.g., IP addresses) to be mounted to access a full share. However, in some examples, the analytics tool may be implemented using a Linux client or other client that may not support DFS referrals or other distributed file protocol to obtain identification of which FSVMs host which files (e.g., which shares). Typically, files may be sharded across multiple FSVMs based on their top-level directory (e.g., an initial folder such as \\enterprise\hr in the file system may include files and/or lower level folders stored across multiple FSVMs).

Accordingly, if a FSVM1 snapshot for a portion of a share hosted by the FSVM 266 is mounted, the analytics VM 270 may identify all folders (e.g., top-level directories), but not all data for the share may be available via the FSVM1 snapshot. Rather, some of the data may be hosted on other FSVMs 264 or 266, and stored in the FSVM2 snapshots or the FSVM3 snapshots. In some examples, the analytics VM 270 may map top-level directories to the FSVM 262, 264, 266 using the snapshots, and then may use that information to traverse those directories. So, for example, the analytics VM 270 may identify that the FSVM 264 and the FSVM 266 may host a particular top-level directory when scanning the FSVM2 snapshot or the FSVM3 snapshot. In order to scan all of the metadata for that top-level directory, the other of the FSVM2 snapshot or the FSVM3 snapshot may be accessed and scanned to retrieve the rest of the data. In this manner, all data in the top-level directory (e.g., across a distributed SMB share) may be scanned by the analytics VM 270, even without use of a DFS Referral. The metadata retrieved during the metadata collection process may be used to present information about the VFS 260 to a user via a user interface or via a report. The metadata may also be used to analyze event data, and to present recommendations to an administrator. For example, the analytics VM 270 may compare access history for a share with an ACL assigned to the share to recommend a change in the ACL based on the access history.

To capture configuration information, the analytics VM 270 via the data collection framework 296 and the API layer 284 may use an application programming interface (API) architecture to request the configuration information from the VFS 260. The API architecture may include representation state transfer (REST) API architecture. The configuration information may include user information, a number of shares, deleted shares, created shares, etc. In some examples, the analytics VM 270 may communicate directly with an FSVM, such as a leader FSVM, of the FSVMs 262, 264, 266 of the VFS 260 to collect the configuration information. In some examples, the analytics VM 270 may communicate directly with another component (e.g., application, process, and/or service) of the VFS 260 or of the clustered virtualization environment 200 (e.g., CVMs, hypervisors, etc.) to collect the configuration information. In some examples, the analytics VM 270 may communicate directly with another component (e.g., application, process, and/or service) of the VFS 260 or of the clustered virtualization environment 200 or in communication with the clustered virtualization environment (e.g., computing nodes, virtualization managers, storage controllers, administrative systems, CVMs, hypervisors, etc.) to collect the configuration information. In some examples, the analytics VM 270 may communicate directly with another component (e.g., application, process, and/or service) of the VFS 260 or of the clustered virtualization environment or in communication with the clustered virtualization environment 200 (e.g., an administrative system, virtualization manager, storage controller, CVMs, hypervisors, etc.) to collect the configuration information.

To capture event data (e.g., audit events), the analytics VM 270 via the data ingestion engine 294 may interface with the VFS 260 using a messaging system (e.g., publisher/subscriber message system) to receive event data via a message bus for storage in the analytics datastore 292. That is, the data ingestion engine 294 may subscribe to one or more message topics related to activity of the VFS 260, and the monitoring service 288 may monitor the message bus for audit events published by the VFS 260. The VFS 260 may include a connector publisher that is configured to publish the event data for consumption by the data collection framework 296. The event data may include data related to various operations performed with the VFS 260, such as adding, deleting, moving, modifying, etc., a file, folder, directory, share, etc., within the VFS 260. The event information may indicate an event type (e.g., add, move, delete, modify, a user associated with the event, an event time, etc. The events processor 280 may process the received data to create a record to be placed in the analytics datastore 292. In some examples, once an event is written to the analytics datastore 292, it is not able to be modified.

In some examples, the data collection framework 296 may be configured to aggregate multiple events into a single event for storage in the analytics datastore 292. For example, if a known task (e.g., moving a file) results in generation of a predictable sequence of events, the data collection framework 296 may aggregate that sequence into a single event.

In some examples, the analytics VM 270 and/or the corresponding VFS 260 may include protections to prevent event data from being lost. In some examples, the VFS 260 may store event data until it is consumed by the analytics VM 270. For example, if the analytics VM 270 (e.g., or the message system) becomes unavailable, the VFS 260 may store the event data until the analytics VM 270 (e.g., or the message system) becomes available.

To support the persistent storage, as well as provision of the event data to the analytics VM 270, the FSVMs 262, 264, 266 of the VFS 260 may each include or may be associated with an audit framework that includes a dedicated event log (e.g., tied to a FSVM-specific volume group) that is capable of being scaled to store all event data and/or metadata for a particular FSVM until successfully sent to the analytics VM 270. In some examples, the audit framework may be hosted by another (e.g., other than the FSVMs 262, 264, 266) component (e.g., application, process, and/or service) of the VFS 160 or of the distributed computing system or in communication with the distributed computing system 100 (e.g., computing node, administrative system, virtualization manager, storage controller(s), the CVMs 124, 132, 128, the hypervisors 130, 132, 134, etc.) without departing from the scope of the disclosure. The audit framework may include an audit queue, an event logger, an event log, and a service connector. The audit queue may be configured to receive event data and/or metadata from the VFS 260 via network file server or server message block server communications, and to provide the event data and/or metadata to the mediator (e.g., event logger). The event logger may be configured to store the received event data and/or metadata from the audit queue, as well as retrieve requested event data and/or metadata from the event log in response to a request from the service connector. The service connector may be configured to communicate with other services (e.g., such as a message topic broker of the analytics VM 270) to respond to requests for provision of event data and/or metadata, as well as receive acknowledgments when event data and/or metadata are successfully received by the analytics VM 270. The events in the event log may be uniquely identified by a monotonically increasing sequence number, will be persisted to an event log and will be read from it when requested by the service connector.

The event logger may coordinate all of the event data and/or metadata writes and reads to and from the event log, which may facilitate the use of the event log for multiple services. The event logger may keep the in-memory state of the write index in the event log, and may persist it periodically to a control record (e.g., a master block). When the audit framework is started or restarted, the master record may be read to set the write index.

Multiple services may be able to read from event log via their own service connectors (e.g., Kafka connectors). A service connector may have the responsibility of sending event data and metadata to the requesting service (e.g., such as the message topic broker of the analytics VM 270) reliably, keeping track of its state, and reacting to its failure and recovery. Each service connector may be tasked with persisting its respective read index, as well as being able to communicate the respective read index to the event logger when initiating an event read. The service connector may increment the in-memory read index only after receiving acknowledgement from its corresponding service and will periodically persist in-memory state. The persisted read index value may be read at start/restart and used to set the in-memory read index to a value from which to start reading from.

During service start/recovery, service connector may detect its presence and initiate an event read by communicating the read index to the event logger to read from the event log as part of the read call. The event logger may use the read index to find the next event to read and send to the requesting service (e.g., message topic broker of the analytics VM 270) via the service connector.

The analytics VM 270 and/or the VFS 260 may further include architecture to prevent event data from being processed out of chronological order. For example, the service connector and/or the requesting service may keep track of message sequence number it has seen before failure, and may ignore any messages which have sequence number less than and equal to the sequence it has seen before failure. An exception may be raised by the message topic broker of the requesting service if the event log does not have the event for the sequence number expected by the service connector or if the message topic broker indicates that it has received a message with a sequence number that is not consecutive. In order to use the same event log for other services, a superset of all the proto fields will be taken to create a common format for event record. The service connector will be responsible for filtering the required fields to get the ones it needs.

As previously discussed, the audit framework and event log may be tied to a particular FSVM in its own volume group. Thus, if a FSVM is migrated to another computing node, the event log may move with the FSVM and be maintained in the separate volume group from event logs of other FSVMs.

In some examples, the data collection framework 296 via the events processor 280 may be configured to process multiple channels of event data in parallel, while maintaining integrity of the event data such that older event data does not overwrite newer event data.

In some examples, the data ingestion engine 294 and the data collection framework 296 may perform the metadata collection process in parallel with receipt of event data via the messaging system. The events processor 280 may reconcile information captured via the metadata collection process with event data information to prevent older data from overwriting newer data.

The events processor 280 may process the metadata, the event data, and the configuration information to populate the analytics datastore 292. The analytics datastore 292 may include an entry or record for each item in the VFS 260, as well as a record for each audit event. In some examples, the event data may include a unique user identifier that ties back to a user, but is not used outside of the event data generation. In some examples, the analytics VM 270 ma retrieve a user ID-to-username relationship from an active directory by connecting to a lightweight directory access protocol (LDAP). In addition, than requesting a username or other identifier associated with the unique user identifier for every event, the events processor 280 may maintain a username-to-unique user identifier conversion table (e.g., stored in cache) for at least some of the unique user identifiers, and the username-to-unique user identifier conversion table may be used to retrieve a username, which may reduce traffic and improve performance of the VFS 260.

In this manner, the analytics datastore 292 may provide up-to-date information about the virtualized file server. The information may be current because it may reflect events, as they occur and are reported from the virtualized file server through the events pipeline. In this manner, file analytics systems described herein may provide real-time reporting—e.g., reports and/or view of the data of the file server which include changes which may have occurred within the last 1 second, 1 minute, 1 hour, and/or other time periods. It may not be necessary, for example, to conduct a full metadata scrape and/or process a bulk amount of data changes before accurate analytics may be reported. Instead, file analytics systems described herein may continuously update their data store based on events as reported by the virtualized file system.

The events processor 280, the visualization component 282, and the query layer 286 may generate reports for presentation via the user interfaces 272, including standard or default reports and/or customizable reports. The reports may be related to aggregate and/or specific user activity; aggregate file system activity; specific file, directory, share, etc., activity; etc.; or any combination of thereof.

In some examples, the user interface 272 may be implemented using one or more web applications. The user interface 272 may communicate with the AVM 270, e.g., with a gateway instance provided by the AVM 270. For example, the API layer 284 (e.g., API server present in a container running on AVM 270) may provide a gateway which may communicate with the user interface 272. The API layer may fetch information, e.g., from the analytics datastore 292, responsive to requests received from the user interface 272, and may return responsive data to the user interface 272. For example, the user interface 272 may be implemented using a web application which may include a variety of widgets—e.g., user interface elements. For example, a text box may allow a requestor to search for files by name, search for users by name, and/or conduct other searches.

In some examples, monitoring of analytics components is provided, e.g., using monitoring service 288 of FIG. 2A. Note that many containers may be provided in the analytics VM 270. Multiple services may be running in the containers. The monitoring service 288 may monitor the status and/or health of services running in the analytics VM 270. The monitoring service 288 may monitor containers and identify whether service is running or not. Beyond the status of the service and the containers, examples of monitoring service 288 may monitor details of the health of the various services running in the containers (e.g., whether the data ingestion engine 294, the analytics datastore 292 (e.g., analytics database), the events pipeline shown in FIG. 3A, or other services provided by the AVM 270 are operating properly, including but not limited to one or more Kafka services and/or elasticsearch databases described herein). Typically, a specific ping call may need to be made to the service to determine if the service is running properly.

However, the monitoring service 288 may be plugged into each of multiple file analytics components (e.g., data ingestion engine 294, the analytics datastore 292, the data collection framework 296) and additionally monitor the performance of each component separately. For example, the monitoring service 288 may utilize APIs available on multiple components to obtain monitoring and/or health information (e.g., an API for a Kafka server and/or an elasticsearch or other database engine). The monitoring service 288 may provide an output (e.g., a JSON file in some examples) that reports the health of the whole system (e.g., health of containers, whether services are running, and additionally whether the services are operating as intended). Normally would need a ping call to the service to determine if the service was working properly, however the monitoring service 288 is able to monitor the containers, the fact that the services are operating, and also the internal health of the services.

Accordingly, the monitoring service 288 may monitor the entire stack from the infra layer to the application layer—e.g., all components as shown as included in the analytics VM 270. The monitoring service 288 may communicate with one or more other monitoring services (e.g., services used to monitor the VFS 260). In this manner, a single view may be obtained of the health of the VFS 260 and the analytics system.

In some examples, the monitoring service 288 accordingly may provide the storage utilization and/or memory and/or processing utilization (e.g., CPU utilization) for the analytics VM 270, including multiple (e.g., all) of its components. This utilization information may be provided to a monitoring service also monitoring the VFS 260 for utilization metrics such that platform resources may be allocated appropriately as between the analytics VM 270 and other components of the VFS 260.

In order to facilitate monitoring without unduly disrupting service operation, services running on the analytics system (e.g., analytics VM 270) may have an embedded remote procedure call (RPC) service. The embedded RPC service may, for example, provide a separate thread for the service that is monitoring the health of the main process thread. In some examples, the separate monitoring thread may collect particular health information—e.g., number of connections, number of requests being services, CPU utilization, and memory utilization. The monitoring service 288 may call the embedded RPC service in the processes to obtain monitoring information in some examples. This may minimize and/or reduce disruption to the operation of the services. Accordingly, the monitoring service 288 may make API calls to some services to obtain monitoring information, and may make calls to embedded RPC services for other components.

Examples of monitoring and/or health information which may be collected by the monitoring service 288 include, but are not limited to, a number of documents, number of events, and/or number of users in a file system (e.g., in VFS 260). In some examples health and monitoring information may be reported and/or displayed—e.g., using UI 272 of FIG. 2A. A positive indicator (e.g., green light or text) may be displayed when all the monitored services and containers are running. A medium indicator (e.g., yellow light or text) may be displayed when at least one service is down and/or a resource is beyond a threshold. A negative indicator (e.g., red light or text) may be displayed when at least one monitored container is down and/or more than one service is down. Monitoring indicators may be displayed for monitored containers—e.g., a database container (e.g., elasticsearch), a data ingestion container (e.g., Kafka container), and/or an API container (e.g., gateway container and/or data analytics framework). In some examples, resource utilization may be monitored by monitoring service 288 including host CPU and memory utilization of one or more of the computing nodes in VFS 260 for example. Memory utilization of one or more data ingestion processes (e.g., Kafka servers) may be monitored. Processor, memory, and/or buffer cache utilization of a database container (e.g., elasticsearch) may be monitored.

Some monitored parameters may be based on a latest run on the monitoring service 288 (e.g., latest API and/or RPC call). Those may include number of documents, number of events, number of users, overall health of file analytics, health for individual containers, and/or service health. Other monitored parameters may be based on data accumulated from multiple runs (e.g., host CPU and memory utilization, disk usage, volume group usage, database CPU, memory and buffer cache utilization, data ingestion engine memory utilization). In some examples, the monitoring service 288 may query containers and/or services periodically, e.g., every 10 seconds in some examples. Monitoring data may be stored in one or more databases, such as in analytics datastore 292 of FIG. 2A and/or analytics datastore 320 of FIG. 3A.

The monitoring service 288 may include multiple monitors (e.g., monitoring processes) in some examples. For example, a host resource monitor, a container resource monitor, and a container and/or service status monitor may be included in monitoring service 288 in some examples. The host resource monitor may be used to obtain current resource utilization (e.g., CPU, memory, disk, volume group) of a host file system—e.g., VFS 260, which may include the analytics VM 270 itself in some examples. The container resource monitor may obtain current resource utilization (e.g., CPU, memory, and/or buffer cache utilization) of containers, such as a data ingestion engine container (e.g., data ingestion engine 294, which may be or include a Kafka server), and/or a database container (e.g., elasticsearch container), such as analytics datastore 292. The container and/or service status monitor may obtain the current status of the monitored containers (e.g., running and/or not running) and the status of services running inside the containers. In some examples, the consolidated health data obtained by the monitoring service 288 may be stored in a single document format (e.g., elasticsearch document, JSON).

In some examples, the monitoring service 288 may generate an alert when a comparison of resource usage for a component with a threshold is unfavorable (e.g., when disk usage is over 75 percent, when CPU usage is over 90 percent, when available memory is under 10 percent, although other threshold values may also be used). In some examples, however, resource usage may compare unfavorably with a threshold for a period of time, and it may not be desirable to raise an alert.

Accordingly, in some examples an alert may not be provided by the monitoring service until after an elapsed period of time (e.g., 15 minutes), and a re-check of the resource usage which still results in an unfavorable comparison to threshold. In some examples, the monitoring service may maintain a log (e.g., a dictionary) of the resource name and resource usage value for the past several runs of the monitoring service (e.g., five runs). Only when the values for all several runs (e.g., all five runs) or some percentage of the runs compare unfavorably with a threshold will an alert be raised. The log (e.g., dictionary) may be stored, for example, in the datastore 320 of FIG. 3A.

In some examples, the AVM 270 may analyze file server events and/or event data to detect malicious activity. For example, the events processor 280, the security layer 287, and the alert notification component 281 may be configured to analyze received event data to detect security issues. Security issues may be detected based on irregular, anomalous, and/or malicious activity within the file system. For example, the events processor 280 and the alert and notification component 281 may detect malicious software activity (e.g., ransomware) or anomalous user activity (e.g., deleting a large amount of files, deleting a large share, etc.), and the security layer 287 may be configured to provide an alert or notification (e.g., email, text, and/or notification via the user interfaces 272) of the malicious software activity and/or anomalous user activity.

In some examples, the alert and notification component 281 may include an anomaly detection service 291. The anomaly and detection service 291 may run in the background and may scan configuration details and file system usage data retrieved from the analytics datastore (e.g., via communication with elasticsearch) to detect anomalies. In some examples, the anomaly detection service 291 may provide detected anomalies per configuration. In some examples, the anomaly detection service 291 may identify anomalies based on configured threshold values and file system usage information. Where anomalies are detected, the alert and notification component 281 may send a notification (e.g., text, email, UI alert, etc.) to users, and may store the detected anomalies in the analytics datastore. In some examples, the anomaly detection service 291 may run periodically and/or according to a schedule. Examples on anomalies may include file access anomalies (e.g., a situation where a specific file was accessed too many times by one or more users within the detection interval), user operation anomalies (e.g., a situation where a user has performed a file operation too many times within the detection interval), and the like. In some examples, the anomaly detection service 291 may be capable of retroactively identifying anomalies missed when the anomaly detection service 291 was unavailable. Various other components of the AVM 270, such as the machine learning service 285 may further be utilized to enhance detection of malicious software activity and/or anomalous user activity.

In some examples, the AVM may use the virtualized file server's “File Blocking Policy” and “SSR” (Self Service Restore) capabilities to prevent attacks from known, identified, and/or suspected ransomware signatures. For example, the file analytics system may utilize an API interface to the VFS 160 of FIG. 1A to perform file blocking to block files from being created and/or renamed to names or properties of known ransomware file names or properties. Blocking generally refers to preventing create and/or rename file operations. The AVM 170 may add rules to a rule storage accessed by the VFS 160 to implement these policies and prevent certain actions and/or file extensions from occurring in the VFS 160. For example, the analytics VM 170 may maintain a database of known, identified, and/or suspected ransomware file extension(s) (example *.zzz or *.cfg) or matching file name and extension pattern (example—a*b.zzz, *-info.cfg*, info*.*-att). These extensions and/or rules may be communicated to the VFS 160 for use in implementing file blocking policies. Once configured, any files created or renamed in the VFS 160 may be blocked from being stored or renamed to prohibited extensions or extension patterns. The VFS 160 may provide an event to analytics VM 170 to notify the analytics system of the attempt to create or rename a file with a known ransomware signature. For example an “access denied [file blocking policy]” message may be generated (e.g., by an FSVM, a hypervisor, or other component of the virtualized file server or distributed architecture) when access and/or rename of a blocked file is attempted. This event may be provided to the analytics VM and logged in an events datastore. The virtualized file server may have an SSR policy definition which allows the virtualized file server to create a snapshot at a regular interval—e.g., an immutable copy of the file system. Creation of an immutable copy of the file system (e.g., thorough immutable snapshots) may prevent ransomware attacks from altering the snapshots. Some ransomware attacks may encrypt snapshots used for backup, such that even when an attack is identified and stopped, remediation of the file system is extremely difficult or not possible. Use of immutable snapshots may prevent attacks from encrypting snapshots, providing a reliable source of data for remediation of a file system after an attack. An immutable snapshot refers to a snapshot that is write protected. For example, users may be unable to write to a write protected immutable snapshot, protecting the immutable snapshots from malicious activity. The analytics VM 170 may interface with the virtualized file server to display the current SSR configuration. If any of the shares or exports is not protected (e.g., SSR policy not enabled) or SSR policy is not defined, the analytics VM 170 may create and protect them.

The AVM 270 may also, in some examples, be configured to take action responsive to the detection of suspected or actual ransomware.

FIG. 2B is an example procedure which may be implemented by monitoring service 288 to raise alerts. The monitoring service 288 may collect health data on or more containers and/or services in block 210. The health data may indicate whether or not the service is not healthy (e.g., running or operational). The monitoring service 288 may analyze the health data in block 212 to ascertain whether the service is healthy. If the service is not healthy (e.g., the health data indicates the service is not running or operational), the lack of health may be logged by the analytics VM (e.g., the monitoring service 288) in block 214, and an alert raised in block 216 (e.g., the analytics VM, such as using monitoring service 288, may display an alert, or may email, text, or otherwise report an alert).

If the service is healthy, the monitoring service 288 may collect resource consumption data for the service (e.g., CPU usage, memory usage, disk usage, volume group usage, etc.) in block 218. Resource threshold parameters may also be accessed in block 220 (e.g., the monitoring process may access threshold parameters from a configuration and/or profile file accessible to the monitoring service). The resource threshold parameters may include, for example, a lower threshold, an upper threshold, and/or a duration limit. If the service's resource usage is greater than the lower threshold (e.g., checked by the monitoring process in block 222), the status may be logged in block 224. If the service's resource usage are less than the upper threshold (e.g., checked by the monitoring process in block 226, the status may be logged in block 224. While the checks against the lower threshold and upper threshold are shown as consecutive blocks 222 and 226 in FIG. 2B, it is to be understood that the checks could happen in either order. In some examples, the block 222 and block 226 may happen wholly and/or partially simultaneously. If the service's resources are less than the lower threshold and/or greater than the upper threshold, however, the monitoring service may evaluate, e.g., in block 228, whether the consumption has been over a threshold for less than the duration limit. If the consumption has been unfavorable relative to a threshold for less than a duration limit, the situation may be logged in block 224. However, if the consumption has been unfavorable relative to a threshold for more than a duration limit, an alert may be raised (e.g., an alert may be displayed, emailed, texted, or otherwise reported) in block 230.

FIG. 3A illustrates a flow diagram 300 associated with ingestion of information from a virtualized file server (VFS) file system 360 by a analytics VM 370 according to particular embodiments. The analytics VM 370 may to retrieve, organize, aggregate, and/or analyze information corresponding to the VFS file system 360 in an analytics datastore 320. The VFS 160 and/or the analytics VM 170 of FIG. 1A and/or 1B and/or 1C and/or the VFS 260 and/or the analytics VM 270 of FIG. 2A may implement the VFS file system 360 and/or the analytics VM 370, respectively. The architecture of FIG. 3A can be implemented using a distributed platform that contains a cluster of multiple host machines that manage a storage pool, which may include multiple tiers of storage. In some examples, the analytics VM 370 may be hosted by one or more of the cluster of multiple host machines. In some examples, the analytics VM 370 may be provided by a computing system in communication with the cluster of multiple host machines. In some examples, the analytics VM 370 may be provided as a hosted cloud solution, e.g., provided on a cloud computing platform and configured for communication with a the VFS 360.

As shown in the flow diagram 300, the FSVM1-N of the VFS 360 may each include an audit framework 362 to provide a pipeline for audit events that flow from each of the FSVM1-N through the message system (e.g., a respective producer channel(s) 310, a respective producer message handler(s) 312, and a message broker 314) to an events processor 316 (e.g., a consumer message handler) and a consumer channel 318 of the analytics VM 370.

The audit framework 362 of or associated with each of the FSVM1-N may be configured to support the persistent storage of audit events within the VFS 360, and well as to provision the event data to the analytics VM 370. In some examples, while the audit framework 362 is depicted as being part of the FSVM1, the audit framework 762 may be hosted by another component (e.g., application, process, and/or service) of the VFS 360 or of the distributed computing system or in communication with the distributed computing system 300 (e.g., computing node, administrative system, virtualization manager, storage controllers, CVMs, hypervisors, managers, etc.). The audit framework 362 may each include a dedicated event log (e.g., tied to a FSVM-specific volume group) that is capable of being scaled to store all event data and/or metadata for a particular FSVM until successfully sent to the analytics VM 370. The audit framework may include an audit queue, an event logger, an event log, and a service connector. The audit queue may be configured to receive event data and/or metadata from the VFS 360 via network file server or server message block server communications, and to provide the event data and/or metadata to the mediator (e.g., event logger). The event logger may be configured to store the received event data and/or metadata from the audit queue, as well as retrieve requested event data and/or metadata from the event log in response to a request from the service connector. The service connector may be configured to communicate with other services (e.g., such as a message topic broker 314) to respond to requests for provision of event data and/or metadata, as well as receive acknowledgments when event data and/or metadata are successfully received by the analytics VM 370. The events in the event log may be uniquely identified by a monotonically increasing sequence number, will be persisted to an event log and will be read from it when requested by the service connector.

The event logger may coordinate all of the event data and/or metadata writes and reads to and from the event log, which may facilitate the use of the event log for multiple services. The event logger may keep the in-memory state of the write index in the event log, and may persist it periodically to a control record (e.g., a master block). When the audit framework is started or restarted, the master record may be read to set the write index.

Multiple services may be able to read from event log via their own service connectors (e.g., Kafka connectors). A service connector may have the responsibility of sending event data and metadata to the requesting service (e.g., such as the message topic broker 314) reliably, keeping track of its state, and reacting to its failure and recovery. Each service connector may be tasked with persisting its respective read index, as well as being able to communicate the respective read index to the event logger when initiating an event read. The service connector may increment the in-memory read index only after receiving acknowledgement from its corresponding service and will periodically persist in-memory state. The persisted read index value may be read at start/restart and used to set the in-memory read index to a value from which to start reading from.

During service start/recovery, service connector may detect its presence and initiate an event read by communicating the read index to the event logger to read from the event log as part of the read call. The event logger may use the read index to find the next event to read and send to the requesting service (e.g., message topic broker 314) via the service connector.

As previously discussed, the audit framework 362 and event log may be tied to a particular FSVM in its own volume group. Thus, if a FSVM is migrated to another computing node, the event log may move with the FSVM and be maintained in the separate volume group from event logs of other FSVMs.

The message broker 314 may, for example, be implemented using a broker which may be hosted on a software bus, e.g., a Kafka server. The message broker may store and/or process messages according to topics. Each topic may be associated with a number of partitions, with a higher number of partitions corresponding to a faster possible rate of data processing. In some examples, a topic may be associated with each file server FSVM1-N of an associated VFS 360. In some examples, a topic may be associated with individual or groups of FSVMs. The topic may be used by the FSVM1-N as a destination to which to send events. In some examples, a topic may indicate a priority level. Examples of topics include high, medium, low, and bursty/high. For example, a high topic may have a larger number of partitions of the message broker dedicated to the high topic than are dedicated to a medium or low topic. In some examples, a bursty topic may be used to accommodate a spike in user activity at the file server—event data during this spike may be put in a bursty topic with a large number of associated partitions. The Kafka server may be implemented in a docker container with any number of partitions. The Kafka server may be included in analytics VMs described herein. Consumers (e.g., one or more nodes of an analytics datastore) may consume messages from the message broker by topic in some examples.

To provide audit event data, the audit framework 362 of or associated with each FSVM1-N of the file system 360 may publish audit events (e.g., event data) to a respective producer channel 310, which are received and managed by a respective producer message handler 312. The respective producer message handlers 312 may forward the audit events to the message broker 314. The message broker 314 may route the audit events to consumers, including the events processor 316 of the analytics VM 370, which are routed to and stored at the analytics datastore 320 via a consumer channel 318.

The analytics VM 370 and/or the VFS 360 may further include architecture to prevent event data from being processed out of chronological order. For example, the service connector of the audit framework 362 and/or the message topic broker 314 may keep track of message sequence number it has seen before failure, and may ignore any messages which have sequence number less than and equal to the sequence it has seen before failure. An exception may be raised by the message topic broker 314 if the event log does not have the event for the sequence number expected by the service connector or if the message topic broker 314 indicates that it has received a message with a sequence number that is not consecutive. In order to use the same event log for other services, a superset of all the proto fields will be taken to create a common format for event record. The service connector will be responsible for filtering the required fields to get the ones it needs.

In some examples, the events processor 316 may analyze the event received and make a determination whether metadata should be collected associated with that event. If metadata may have changed as a result of the event, the analytics VM 370 may utilize the metadata collection process 330 to retrieve new and/or updated metadata associated with the event. Examples of events that may have an associated metadata for retrieval include file create, file write, directory create, rename, security, and set attribute. Metadata which may be collected associated with the events may include file size, file owner, time statistics (e.g., creation time, last modification time, last access time), and/or access control list (ACL). If no metadata may be collected associated with the event, in some examples, the events processor 316 may provide the event for storage in analytics datastore 320. If metadata is collected associated with the event, the events processor 316 may in some examples provide both the event and the associated metadata to the analytics datastore 320.

FIG. 3B depicts an example sequence diagram 301 for transmission of event data records from the audit framework 362 to the analytics VM 370 in accordance with embodiments of the disclosure. As shown in FIG. 3B, the audit framework 362 may provide index value 1 event data record to the analytics VM 370. The index value 1 event data record is received by the analytics VM 370. The audit framework 362 may then provide index value 2 event data record to the analytics VM 370, which may be successfully received by the analytics VM 370. The audit framework 362 may provide index value 3 event data record. However, in this example depicted in FIG. 3B, the index value 3 event data record may not be successfully received by the analytics VM 370. The audit framework 362 may continue on to provide index value 4 event data record to the analytics VM 370, which may be successfully received by the analytics VM 370. In response to receipt of the index value 4 event data record before receipt of the index value 3 event data record, the analytics VM 370 may provide a NACK message to the audit framework 362 indicating that the index value 3 event data record was not received. In response to the NACK message, the audit framework 362 may then provide index value 3 event data record to the analytics VM 370, which may be successfully received by the analytics VM 370. The audit framework 362 may then continue by providing the index value 4 event data record to the analytics VM 370 again.

The sequence diagram 301 of FIG. 3B is exemplary, and other implementations may be utilized to ensure event data record is processed in chronological order without departing from the scope of the disclosure. For example, rather than continuing to send the event data record until a NACK is received from the analytics VM 370, the analytics VM 370 may provide an ACK message in response to receiving each indexed value event data record, and the audit framework 362 may wait to send the next indexed value event data record until an ACK is received. If no ACK message is received after a time period, the audit framework 362 may re-send the previous indexed event data record.

Also, as described, message broker 314 may store and/or process messages according to topics, which may each be divided into a number of partitions, with a higher number of partitions corresponding to a faster possible rate of data processing. To ensure data for a particular file (e.g., or share, directory, etc.) is processed in chronological order, event data records for a particular file may be routed to the same partition.

FIG. 3C depicts an example timing diagram 302 for routing event data records from to particular message topics and message topic partitions in accordance with embodiments of the disclosure. As shown in FIG. 3C, event data is received from times T0 to T8 (e.g., event data record 1, file 1 (E1F1) received at time T0, event data record 2, file 2 (E2F2) received at time T1, etc.). As each event data record is received, it may be routed to a queue for one of partition 1 or partition 2. The partition 1 and 2 queues may be processed first in, first out. The timing diagram 302 may be implemented using event pipelines described herein, such as the pipeline of FIG. 3A, including by the message topic broker 314 and/or event processor 316.

At time T0, the E1F1 event data record may be routed to the partition 1 queue. At time T2, the E2F2 event data record may be routed to the partition 2 queue, and at time T2, the E3F3 event data record may be routed to the partition 1 queue. The routing of the event data records from times T0 to T2 may be based on a load on each partition, in some examples.

However, at time T3, the E4F1 event data record may be routed to the partition 1 queue, because the E1F1 event data record pertaining to file 1 have already been routed to the partition 1 queue. Routing to the same partition queue may ensure that the event data record for file 1 may be processed in chronological order. Continuing on at time T4, the E5F4 event data record may be routed to the partition 2 queue, and at time T5, the E6F5 data may be routed to the partition 2 queue based on load or some other criteria.

At time T6, the E7F4 event data record may be routed to the partition 2 queue, because the E5F4 event data record pertaining to file 4 has already been routed to the partition 2 queue. Similarly, at time T7, the E8F1 event data record may be routed to the partition 1 queue, because the E1F1 and the E4F1 event data record pertaining to file 1 have already been routed to the partition 1 queue.

The timing diagram 302 of FIG. 3C is exemplary, and other implementations may be utilized to ensure event data records are processed in chronological order without departing from the scope of the disclosure. For example, a topic may be divided into more than two partitions, in some examples. In addition, the partition queues may include more or fewer than the five slots depicted in the timing diagram of FIG. 3C. Moreover, while chronological order is described as being maintained in examples described herein—other orders or sequences may be maintained in other examples.

The analytics datastore 320 may be implemented using an analytics engine store, such as an elasticsearch database. The database may in some examples be a distributed database. The distributed database may be hosted on a cluster of computing nodes in some examples. In some examples, the analytics datastore 320 may be segregated by age and may be searched in accordance with data age. For example, once an event or metadata data crosses an age threshold, it may be moved to an archive storage area. Data in the archive storage area may be accessed and included in search and other reporting only when specifically requested in some examples. In some examples, when tiered or archived event and/or metadata crosses a certain age threshold, it may be deleted.

In an example of a data tiering configuration, a first category of data may be a ‘hot’ category and may be associated with that category if it is less than a first threshold of age (e.g., within 1 month). A second category of data may be ‘warm’ data which may be between a range of age (e.g., between 1-6 months old). A third category of data may be ‘cold’ data which may be between a range of age (e.g., between 6-12 months old). A fourth category of data may be ‘frozen’ data which may be tiered (e.g., archived) and may be over a threshold old (e.g., older than 12 months). Tiered data may be generally stored in any archive repository, including, but not limited to, any NAS (e.g., NFS/SMB), Amazon Web Services S3, Hadoop distributed file system, Azure, etc. A fifth category of data may be deleted, such as when it has been tiered for over (e.g., longer than) a threshold time (e.g., tiered for more than 12 months). Archives may be deleted in some examples using snapshot and restore APIs. In some examples, certain categories of data may be included in searches and queries performed by the analytics VM by default, and some only with user request. For example, the hot and warm categories may be included in searches and/or reporting by default, while the cold, frozen, and/or tiered categories may be included only by user request.

In some examples, event data may be collected as syslog events. The events may be provided to the analytics datastore 320 (e.g., by events processor 316) using filebeat and an ingest pipeline.

In some examples, the events processor 316 may be implemented, at least in part, using a Kafka connector. In some examples, the analytics datastore 320 may be implemented using an elasticsearch cluster. The events processor 316 may perform a variety of functions on event data received from the broker. In some examples where the message broker may be implemented with a Kafka server, a Kafka connector may be used to pull events from the Kafka server and ingest them into the analytics datastore (e.g. elasticsearch cluster). For example, the events (e.g., a Kafka message indicative of an event) may be provided in a protocol buffer standard, which may be used to generate a protocol buffer event object provided by the broker (e.g., Kafka server). The events processor 316 may de-serialize received objects (e.g., data, protocol buffer event objects). The events processor 316 may map message fields of the data to those of the analytics datastore 320 (e.g., to elasticsearch fields). The events processor 316 may parse and extract information from the event data. The events processor 316 may ingest the data into indices of the analytics datastore 320 (e.g., to elasticsearch indices). In some examples, data may be indexed into a particular folder based on an event type. Event types may include folder or directory or other classification of portion of the file server pertaining to the event. The events processor 316 may perform data exception handling.

In some examples, the analytics datastore 320 may be scaled in accordance with an amount of data being processed by message brokers (e.g., Kafka servers). Multiple consumers (e.g., analytics datastore nodes, such as elasticsearch nodes) may process data from particular topics. Generally, the multiple consumers processing data from topics may form a group designated by a unique name in the datastore (e.g., cluster). Messages published to the message broker may be distributed across database instances (e.g., analytics datastore nodes) in the group, but each message may be handled by a single consumer in the group in some examples.

In some examples, the analytics VM may monitor throughput of one or more message topics. Based on the read throughput for the topic, the analytics VM may cause horizontal scaling of the analytics data store. For example, when read throughput falls below a particular level, the analytics VM may spin up another node of the analytics datastore. The new node may be subscribed to the topic having the below-threshold read throughput. When read throughput falls above a particular level for a particular topic, in some examples, the analytics VM may spin down (e.g., remove) a node of the analytics data store subscribed to that topic.

In this manner, when a new instance of the analytics datastore joins a group subscribed to a topic, a rebalancing may occur in the message broker (e.g. Kafka server). The message broker may reassign partitions (e.g., topics) to consumers based on metadata regarding the analytics datastore. Advantageously, the use of multi-node analytics datastores may add fault tolerance. For example, if a node of the analytics datastore goes down, the message broker may engage in rebalancing to distribute assignments among remaining analytics datastore instances.

Accordingly, referring to FIG. 3A, the messaging system, including the producer message handler 312, the message topic broker 314, and the events processor 316 may process multiple audit event threads in parallel, which may aid in keeping the integrity of those audit events (e.g., keeping the events in order) such that a new event may not be overwritten by an older event in the analytics datastore 320, even if the older event is received out of order.

In addition, the analytics VM 370 may retrieve metadata and configuration information from the file system 360 via a metadata collection process 330 and a configuration information collection process 340, respectively. In some examples, the configuration information collection process 340 includes an API architecture. In some examples, the event data and the metadata may include a unique user identifier that ties back to a user, but is not used outside of the event data generation. In some examples, a portion of the configuration information collection process 340 may include the retrieval of a user ID-to-username relationship from an active directory by connecting to a lightweight directory access protocol (LDAP). In addition, rather than requesting a username or other identifier associated with the unique user identifier for every event, the analytics VM 170 may maintain a username-to-unique user identifier conversion table (e.g., stored in cache) for at least some of the unique user identifiers, and the username-to-unique user identifier conversion table may be used to retrieve a username, which may reduce traffic and improve performance of the VFS 160. Any to provide user context for active directory enabled SMB shares may help an administrator understand which user performed which operation as well as ownership of the file. In some examples, the configuration information collection process 340 may include a synchronization operation to retrieve share status from the VFS 360. Thus, if a share is deleted, that information may be updated in the analytics datastore 320.

The metadata collection process may include gathering the overall size, structure, and storage locations of parts of the file system managed by the VFS 360, as well as details for each data item (e.g., file, folder, directory, share, owner information, permission information, etc.) in the VFS 360. In some examples, the metadata collection process 330 may utilize SMB and/or NFS commands to obtain metadata information. Metadata which may be collected may include, but is not limited to, file owner, group owner, ACLs, total space on share, free space on share, list of available shares, create time, last access time, last change time, file size, list of files and directory at root of share.

In some examples, the metadata collection process 330 may initially gather metadata for a set of (e.g., all) files hosted by an associated file server. In some examples, the metadata collection process 330 may scan snapshots of the file server. In some examples, the metadata collection process 330 may initially, or subsequent to an initial scan, use one or more snapshots of the VFS 360 to receive initial and/or updated metadata, such as a snapshot provided by a disaster recovery application of the VFS 360. For example, the analytics VM 370 may mount a snapshot of the VFS 360 to retrieve metadata from the VFS 360. Each snapshot may represent a state of the file system managed by the VFS 360 at a point in time. The analytics VM 370 may use the information gathered from the one or more snapshots to develop a comprehensive picture of the file system managed by the VFS 360 at a point in time, as well as to derive events by comparing successive snapshots.

In some examples, the metadata collection processes performed by the analytics VM 370 may include a multi-threaded breadth-first search (BFS) that involves performing parallel threaded file system scanning. The parallel threaded file system scanning may include parallel scanning of different shares, parallel scanning of different folders of a common share, or any combination thereof. In some examples, the metadata collection process may implement a parallel BFS with level order traversal of a directory tree to collect metadata. Level order traversal may include processing a directory tree one level at a time. For example, starting with a top-level directory, a first level of a directory tree is processed before moving onto a next level a next level of the directory tree. The level order traversal includes a current queue, which includes each item in the level of the directory tree currently being processed, and a next queue, which includes children of the level of the directory tree currently being processed. When processing of the current queue is completed, the current queue may be loaded with the next queue entries. By performing level order traversal, a size of the two queues may be more manageable, as compared with a system where every item from a directory tree being loaded into a single queue. The parallel BFS may include starting a thread on each level, and letting processing of all the data items on that level get complete in the current queue before making a move to the next or child queue.

In some examples, during the metadata scan, the VFS 360 and/or the analytics VM 370, or another service, process, or application hosted or running on or in communication with the system of FIG. 3A may add a checkpoint or marker after every completed metadata transaction to indicate where it left off. In some examples, when processing of the current queue is complete, the current queue may be stored as the checkpoint before loading the next queue into the current queue. The checkpoint may allow the analytics VM 370 to return to the checkpoint to resume the scan should the scan be interrupted for some reason. Without the checkpoint, the metadata scan may start anew, creating duplicate metadata records in the events log that need to be resolved.

In some examples, the analytics VM 370 may make an initial snapshot scan of the VFS 360 to obtain initial metadata concerning the file system (e.g., number of files, directories, file names, file sizes, file owner ID and/or name, file permissions (e.g., access control lists, etc.)) using the FSVM1-3 snapshots. The analytics VM 370 may provide an API call (e.g., SMB ACL call) to the VFS 360 to retrieve owner usernames and/or ACL permission information based on the owner identifier and the ACL identifier.

For disaster recovery, the FSVMs1-N or another component (e.g., application, process, and/or service) of the VFS 360 or of the clustered virtualization environment or in communication with the clustered virtualization environment 200 (e.g., computing node, administrative system, virtualization manager, storage controller, CVMs, hypervisors, etc.) may periodically generate new, updated snapshots of the file system to aid in disaster recovery over time. In some examples, in addition to use of individual ones of the snapshots to determine a state of the file system at a point in time, the analytics VM 370 may compare different versions of the snapshots to detect metadata differences, and then may use those detected metadata differences to derive event data. For example, if the metadata of a first snapshot indicates that a particular share has a first size and the metadata of a second snapshot indicates that the particular share has a second size, the analytics VM 370 may generate an event that the size of the particular file was changed from the first size to the second size. Other types of events may be derived by the analytics VM 270 if a metadata comparison between two snapshots reveals that a file/folder/share/directory/etc. is added, removed, moved, or some other change has taken place.

In some examples, the shares of the file system managed by the VFS 360 may be sharded (e.g., distributed across multiple FSVMs), which may impact capturing of a complete set of metadata for the file system. Thus, as part of the metadata collection process, a distributed file protocol, e.g., DFS, may be used to obtain a collection of FSVM IDs (e.g., IP addresses) to be mounted to access a full share. However, in some examples, the analytics tool may be implemented using a Linux client or other client that may not support DFS referrals or other distributed file protocol to obtain identification of which FSVMs host which files (e.g., which shares). Typically, files may be sharded across multiple FSVMs based on their top-level directory (e.g., an initial folder such as \\enterprise\hr in the file system may include files and/or lower level folders stored across multiple FSVMs).

Accordingly, if a FSVM1 snapshot for a portion of a share hosted by one of the FSVMs is mounted, the analytics VM 370 may identify all folders (e.g., top-level directories), but not all data for the share may be available via the snapshot. Rather, some of the data may be hosted on other FSVMs of the VFS 360, and stored in snapshots generated by those FSVMs. In some examples, the analytics VM 370 may map top-level directories to the FSVMs using the snapshots, and then may use that information to traverse those directories. So, for example, the analytics VM 370 may identify that a pair of FSVMs may host a particular top-level directory when scanning the respective snapshots. In order to scan all of the metadata for that top-level directory, snapshots generated by other FSVMs may be accessed and scanned to retrieve the rest of the data. In this manner, all data in the top-level directory (e.g., across a distributed SMB share) may be scanned by the analytics VM 370, even without use of a DFS Referral. The metadata retrieved during the metadata collection process may be used to present information about the VFS 360 to a user via a user interface or via a report. The metadata may also be used to analyze event data, and to present recommendations to an administrator. For example, the analytics VM 370 may compare access history for a share with an ACL assigned to the share to recommend a change in the ACL based on the access history.

After an initial metadata collection, in some examples, the metadata collection process 330 may gather metadata for only selected files associated with an audit event received. In some examples, the metadata collection process 330 may utilize active directory (AD) credentials to interact with the associated file server and obtain metadata. The credentials may be provided to the analytics VM 370 in some examples by an administrator.

In some examples, analytics VM 370 may receive a notification when a VFS 360 (e.g., one or more of FSVM1-N) subscribe to analytics services. Responsive to the notification, the analytics VM 370 may initiate the metadata collection process 330 to gather initial metadata. The notification may be implemented using, for example, an API call. In some examples, the API call may write an identification of the file server 360 subscribing to the analytics services and the analytics VM 370 may monitor the file for changes to receive notification of a new file server and/or file server VM subscribing to analytics. In some examples, a thread or process may periodically scan the analytics datastore 320 including a store of the file server name(s). If a new file server name is found, the analytics VM 370 may initiate the metadata collection process 330 to gather initial metadata.

To gather initial metadata, the analytics VM 370 may obtain an identification of shares present on the file server 360, and store the identification of the shares in the analytics datastore. For each share, the analytics VM 370 may obtain an identification of all files and directories present on the share. For each file and directory, the analytics VM 370 may gather metadata for the file and/or directory and store the metadata in the analytics datastore 320. In some examples, the analytics VM 370 may track the progress of the initial metadata collection. A scan status may be stored in the analytics datastore and associated with each share. When the initial metadata collection begins, a scan status may be set to an initial value (e.g., “started” or “running”) in the analytics datastore 320. When the collected metadata is stored in the analytics datastore 320, the scan status may be set to a completed value (e.g., “complete”). If a failure occurs during the metadata collection process 330, the scan status may be set to a failure value (e.g., “failed”).

In some examples, the analytics VM 370 may access the scan status—periodically in some examples (e.g., every hour). If a failed scan status is encountered, the analytics VM 370 in some examples may restart a metadata collections process for that share.

In some examples, the metadata collection process 330 is initiated to gather metadata at a point in time, and changes that occur thereafter may be tracked via the event pipeline. For example, when a new share is added to the virtualized file server 360 after the metadata collection process 330 has started, the analytics VM 370 may not perform an initial metadata gathering process responsive to addition of the new share. Instead, the existence of the new share and events relating to the new share may be captured using the events pipeline, and metadata associated with the events may be obtained from the event data. Similarly, new files may be tracked based on events coming through the events pipeline and need not initiate a full metadata collections process just based on the addition of a new file or folder.

In some examples, communications for the metadata collection process 330 and/or the configuration information collection process 340 may flow through the audit framework 362 using the message topic broker 314 without departing from the scope of the disclosure. In some examples, the metadata collection process 330 and/or the configuration information collection process 340 may include use of API calls for communication with the VFS 360.

Metadata and/or events data stored in the analytics data store may be indexed. For example, an index may include events data collected over a particular period of time (e.g., last day, last month, last 2 months, last 3 months). In this manner, queries executed by an AVM (e.g., by query layer 286 of FIG. 2A) may query a particular index or indices, avoiding a need to query the entire data store. Metadata and/or events data may accordingly be stored in the analytics data store by storing the data together with an index indicator.

In some examples, certain indices may be maintained to assist with intended reporting of analytics from the AVM. For example, one index may be for anomalies, and may store anomalies detected from audit trails (e.g., from event data). The anomaly index may be queried (e.g., by the AVM) to present information about the occurrence of anomalies. Information stored in the anomaly index may include an array of anomalies for each user, an array of anomalies for each file and/or folder, an ID of the anomaly, a user ID of a user causing an anomaly, operation name(s) included in the anomaly, and a count of operations occurring in the anomaly.

One index may be for capacity and may store capacity metrics for a file server. The AVM may periodically calculate statistics regarding the number of files, counts per file type, capacity change per type, etc. and store the information in this index. Examples of capacity data may include capacity by file type or category, removed capacity by file type or category, added capacity by file type or category, total capacity added, number of files added, capacity removed, capacity change, number of modified files, capacity change by file type or category, number of deleted files, net capacity change. Other metrics may also be used.

Indices may be provided for audit logs (e.g., event data). The event data may be indexed per-time period (e.g., per month). Information that may be stored in the audit log index may include a name of a file or folder for which the event occurred, name or ID of a user generating the event, operation performed by the user, status of the event, old name of the file or folder (e.g., for rename events), object ID for the event, path of the file or folder affected by the event, IP of the machine from which the event was triggered, old parent ID of the file or folder (e.g., for move events), time stamp of the event. Other data may also be stored.

An index may be provided for users, and may store unique IDs of users for the file server. Other information stored in a user index may include user email, last event timestamp for a last action taken by the user, user name, object ID of a file and/or folder on which the user last performed an event, IP address of machine from which the user last operated, last operation performed by the user. Other user information may also be stored in other examples.

An index may be provided for files, and may store unique IDs of files in the file server. Examples of data that may be stored in a file index include last access timestamp, name of file creator, size of file, indicator if file is active, timestamp of last event performed on the file, ID (e.g., UUID) of the file server share to which the file and/or folder belongs, user ID of user performing the last event on the file, ID of the parent file and/or folder (e.g., hierarchical parent in a directory structure), ID of a user performing a last event on the file, time of file creation, file type, filename. The various indices may be queried to provide information as needed for various queries.

A set of categories may be defined and utilized for reporting and/or displaying data. Each category may be associated with multiple file type extensions. For example, an image category may include .jpg, .gif. A Microsoft Office category may include .doc, .xls. A video category may include .mpg, .avi, .mov, .mp4, etc. Other categories include, for example, Adobe (e.g., .pdf), log, archive, installers, etc. Associations between category names and file extensions may be stored in memory accessible to the AVM. The associations may be configurable, e.g., an admin or other user may revise and/or update the associations between file types and categories, e.g., using user interface 272.

Accordingly, examples of files analytics systems described herein may collect event data relating to operation of a file system. In some examples, a particular sequence of events may have a particular meaning as understood by a user and/or an administrator. It may be desirable to be able to query and represent the intended event instead of and/or in addition to the actual sequence of events. For example, in some applications (e.g., MICROSOFT WORD), multiple actions on a file system may be taken in order to achieve an intended action (e.g., editing a file). In some examples, applications may use temporary files as part of the processing of editing a given file. The temporary files may be used to store changes to the file. The temporary files may then be retained as the original file (with the original file being deleted), and/or the temporary files may be deleted and content in the file moved to the original file. In some examples, applications may use temporary files as part of the processing of editing a given file. The temporary files may be used to store changes to the file. The temporary files may then be retained as the original file (with the original file being deleted), and/or the temporary files may be deleted and content in the file moved to the original file. In some examples, file analytics systems may advantageously respond to queries and/or provide reports (e.g., metrics) which reflect the user intended action, and may exclude or revise event data relating to particulars of an application used to perform the action.

FIG. 3D is a schematic illustration of an example file analytics system which may provide metrics adjusted for application operation (e.g., temporary file handling). FIG. 3D includes distributed file server 322, which includes FSVM 324, FSVM 326, FSVM 328, and storage pool 332. The storage pool 332 is shown to include file 342 and temp file 344. The AVM 334 may be in communication with the distributed file server 322. The UI 348 is coupled to AVM 334. The UI 348 may be used to display and/or provide metric 352. The AVM 334 is coupled to analytics datastore 336, which includes lineage index 338 and event data 346.

Systems described herein may include distributed file servers (e.g., virtualized file servers). The distributed file server 322 may be implemented and/or be implemented by, for example, all or portions of the system 100 of FIG. 1A (e.g., the virtualized file server 160). The distributed file server 322 may be implemented and/or be implemented by, for example, the VFS 260 of FIG. 2A. The distributed file server 322 is shown as including three file server virtual machines—FSVM 324, FSVM 326, FSVM 328—although any number may be present. The FSVM 324, FSVM 326, FSVM 328 may be implemented by and/or used to implement FSVM 162, FSVM 164, and FSVM 166 of FIG. 1A. In some examples the FSVM 324, FSVM 326, FSVM 328 may be implemented by and/or used to implement FSVM1 262, FSVM2 264, and FSVM3 266 of FIG. 2A. In some examples, the FSVM 324, FSVM 326, and/or FSVM 328 may be implemented by and/or used to implement one or more of the FSVMs shown in FIG. 3A. The storage pool 332 may be implemented by and/or used to implement all or portions of the storage pool 156 of FIG. 1A and/or computing node cluster 201 of FIG. 2A.

Systems described herein may include one or more analytics VM, such as AVM 334 of FIG. 3D. The AVM 334 may be implemented by and/or used to implement the analytics VM 170 of FIG. 1A, the AVM 270 of FIG. 2A, and/or the AVM 370 of FIG. 3A in some examples. The AVM 334 may generally receive event data from the distributed file server 322. For example, the AVM 334 may receive event data as shown and/or described with reference to the events pipeline of FIG. 3A.

Analytics VMs may accordingly store event data, such as event data 346 of FIG. 3D. The event data may be stored in analytics datastore 336. The analytics datastore 336 may be implemented using and/or may be implemented by analytics datastore 190 of FIG. 1A, analytics datastore 292 of FIG. 2A, and/or analytics datastore 320 of FIG. 3A.

Analytics VMs may receive one or more queries and/or provide one or more reports on the operation or state or other information about an associated virtualized file server. For example, the AVM 334 may be coupled to user interface, UI 348. The UI 348 may be implemented by and/or used to implement the UI 272 of FIG. 2A. The UI 348 may provide (e.g., display) one or more metrics, such as metric 352 in the example of FIG. 3D.

In some examples, the AVM 334 may provide one or more metrics (e.g., metric 352) which are adjusted based on the operation of an application used to implement a particular requested action. The metrics (e.g., metric 352) may be based on event data collected by the AVM 334, such as event data 346. In some examples, metric 352 may include a count of a number of files. The AVM 334 may provide metric 352 a count of files in the distributed file server 322 which may be adjusted to remove temporary files and/or other files ancillary to user operation of the file server. In some examples, metric 352 may include a count or report of operations on the distributed file server 322, such as a count or report of operation taken by all or particular user(s) of the distributed file server 322. The metric 352 may be based on event data 346. However, the count or report of operations taken by all or particular user(s) may be adjusted to exclude operations associated with operation of an application utilized by user to take a particular action.

In some examples, in order to provide metrics that are adjusted, the AVM 334 may provide and utilize a lineage index, such as lineage index 338. The lineage index 338 may store an association between files associated with a particular user action. The AVM 334 may access the lineage index 338 to identify a group of events in the event data 346 which correspond with associated files. The AVM 334 may filter that group of events to remove particular events (e.g., in accordance with a set of rules based on operation of an application) which are ancillary to an intended operation.

For example, consider that users (e.g., individuals, entities and/or other processes) may conduct operations on the distributed file server 322. Users may interact with files on the distributed file server 322 using one or more user VMs and/or other connection to distributed file server 322. Users may interact with files on the distributed file server 322 using one or more applications. Examples of applications used to interact with a file server include office applications—e.g., word processors, spreadsheets, document sharing applications, web browsers, data analysis or simulation applications, etc. Each application may have a set of actions that may be taken responsive to a user request (e.g., a request to write to a file). Other sets of actions may be taken responsive to other types of user requests. Applications used by users may be hosted, for example, on one or more of the computing nodes used to host the distributed file server 322. For example, the computing node(s) may host an operating system which may be used to provide the application.

In the example of Microsoft Word, when a user intends to edit a file, a new file will be created by MICROSOFT WORD (e.g., having a same name and with a temporary extension). So, for example, consider an example file ‘abc.doc’ stored in the virtualized file server 260 of FIG. 2A and/or the virtualized file server 322 of FIG. 3D. Responsive to a user editing the file, MICROSOFT WORD creates a new file with a temporary extension (e.g., ‘abc.tmp’ and/or ‘x.tmp’). Write operations may occur with respect to the temporary file. When the editing is complete (e.g., when a user saves the file and/or closes the application), MICROSOFT WORD may delete the original ‘abc.doc’ (e.g., file 342) and rename ‘x.tmp’ (e.g., temp file 344) to ‘abc.doc’. For example, the temporary file may be retained with the name of the original file (e.g., ‘abc.doc’) and the original ‘abc.doc’ file may be deleted. The event data 346 received by the AVM 334 in this scenario may include the creation of a new file (‘abc.tmp’), writes to the temporary file ‘abc.tmp’, the deletion of the temporary file (the original ‘abc.doc’), and the creation of a new file (the new ‘abc.doc’). Such a recording of events may compromise the use of the analytics available through the analytics system because future events may not be recognized as occurring to the same file as the original ‘abc.doc’—the files analytics system may consider there to be two separate files and may not be able to represent a continuous flow of events associated with a single ‘abc.doc’ file, which was the intended operation of the user. Moreover, all of those operations may be associated with the user (including any permission changes or other actions taken by the application), instead of simply the request to write to or change a file. An example sequence of events for a single write cycle may be as follows:

Event # Event Type File Inode File Name New File Name 1 Create 100 abc.docx — 2 Rename 100 abc.docx x.tmp 3 Create 200 y.tmp — 4 Write 200 y.tmp — 5 Delete 100 x.tmp — 6 Rename 200 y.tmp abc.docx

The events are shown consecutively numbered in the above table for ease of discussion. The event type is shown. The file ID (e.g., file iNode) is shown, together with the file name. The file ID (e.g., file iNode) may be a unique ID for the file in the file system. For example, the File Inode 100 may correspond with file 342 and the file inode 200 may correspond with temp file 344 in FIG. 3D.

As shown in the above sequence of events, the original file abc.docx starts as a file with inode 100 but ends up as a file with inode 200 after the write is done. This way the inode may keep changing on each write. If any analytics is fetched for the file then the analytics system may need to consider all the inodes for the file in order to get the full & correct audit trail for the file. A reliable mechanism to link all these inodes to the same lineage may be needed to obtain accurate analytics. While a specific example of ancillary operations in MICROSOFT WORD has been provided, it is to be understood that other applications similarly have other sequences of ancillary operations for handling temporary files or other actions (e.g., vi editor).

Referring to FIG. 3D, a lineage index 338 may be maintained in the analytics datastore 336. The lineage index may follow a parent-child schema (e.g., the index may include a series of records which relate a parent file to one or more temporary files). Each record (e.g., document) in the index may represent a lineage root or a child associated with a lineage root. In this manner, the lineage may not be a multi-level hierarchy in some examples. Rather, a single record may exist for a parent-child (e.g., file-temp file) association. Each document in the index may include an object ID (e.g., unique file ID, such as iNode number), type of document (e.g., parent or child), and lineage root ID (e.g., unique file ID, such as iNode number, for the parent in the case of a child record, or child in the case of a parent record).

In some examples, an events processor of the AVM 334 (e.g., the events processor 316 of FIG. 3A may populate the lineage index. For example, the events processor 316 may execute a lineage management process which may identify particular file events (e.g., temp file events) and establish a lineage between files. For example, the lineage management process may search incoming events and/or events stored in the analytics datastore 336 for files meeting lineage management criteria. Lineage management criteria may refer to the presence of a sequence of events indicative that a file was renamed, moved, and/or altered to a temporary file. For example, the lineage management process may search event data for rename events where a particular file extension indicative of a temporary file (e.g., .tmp) was renamed to another file extension (e.g., .doc). Generally, the lineage management process may identify a known and/or configurable event and/or set of events indicative of a lineage relationship (e.g., relationship where one file is intended to be treated the same as another file for events purposes). For example, the temporary files may be identified by extension (e.g., ‘.tmp’ in the table above) and renames of files having temporary extensions may be used as a lineage management criteria. So, for example, the lineage management process may identify that file inode 200 may be a candidate for lineage management because of event 6 in the table above where the .tmp file is renamed to .docx. Other criteria may also be used. The lineage management process may identify a corresponding event to establish a lineage. For example, the lineage management process, having identified the file inode 200 as a candidate based on the rename of the .tmp file to .docx in event 6, may identify a corresponding event as event 2 where the file ID (e.g., inode 100) was renamed from abc.docx to a temporary file x.tmp. While x.tmp here is used as an example, generally the temp file may be named with ˜followed by the original filename.tmp, so it may be ˜abc.tmp in some examples. In this manner, the lineage management process may identify the inode 100 as associated with the inode 200.

The lineage management process may further search incoming events and/or events stored in the analytics datastore 336 which may have been performed on the related lineage file. The lineage management process may verify whether the unique file ID (e.g., inode) on which the event occurred is already part of a lineage or is a lineage root itself, such as by searching the existing lineage index. The lineage management process may then establish the lineage accordingly as a root and/or child.

In some examples, the AVM 334 (e.g., an events processor of the AVM) may ensure that file and event records associated with a particular lineage are updated to reflect that lineage. For example, each record in the lineage index may include an object ID and an object lineage root reference, which object lineage root reference indicates the lineage for a file. For example, the events processor 316 may identify each file ID that is involved in a potential temp file event and mark the file for further processing (e.g., both file IDs 100 and 200 may be identified in the example of the above table due to their rename events). The events processor 316 may execute a separate process that identifies lineage for the marked files (e.g., by examining the sequence of events in the above table and/or a lineage index). The corresponding event records for the marked files may be updated to include the object lineage root reference.

While examples have been described where the AVM 334 (e.g., using an events processor) determines lineage of various files in temp-related events, in some examples, lineage may be determined by the file server (e.g., distributed file server 322 of FIG. 3D and/or file server 260 of FIG. 2A). For example, an API gateway on one or more of the FSVMs of the file server 260 may include one or more software processes to calculate the lineage (e.g., association between one or more files), and provide the lineage together with the events data to allow the AVM 334 (e.g., using an events processor, such as the events processor 316 of FIG. 3A) to store the lineage data in the datastore.

In this manner, the lineage of related files may be maintained in a lineage index and/or object lineage root reference in the analytics datastore 336. This lineage index and/or object lineage root reference may be utilized when responding to queries (e.g., queries of or by an API layer of the AVM 334, such as API layer 284 of FIG. 2A) to allow for the intended behavior to be represented.

An example query issued by the AVM 334 (e.g., using an API layer such as API layer 284 of FIG. 2A) to the analytics datastore 336 may be to provide an audit trail for a given file (e.g., all events associated with a particular file ID). The audit trail may be an example of a metric described herein. In examples described herein, the AVM 334 and/or the API layer 284 may access the lineage index 338 of the analytics datastore 336 to locate all related lineage IDs for the file ID. The audit index (e.g., event data 346) of the analytics datastore 336 may accordingly be searched for all events belonging to the file ID and any related lineage IDs. Accordingly, a complete set of events may be obtained (e.g., identified).

In some examples, the AVM 334 (e.g., using an API layer, such as API layer 284) may filter the complete set of events to remove events associated with the operation of the application (e.g., the temporary file process or otherwise ancillary to the intended file manipulation). A set of rules regarding what events to filter, exclude, and/or remove may be stored in a memory or other storage accessible to AVM 334. The set of rules may include rules particular to certain applications and/or certain user actions. For example, in the case of MICROSOFT WORD or other applications having similar temporary file operation responsive to user writes, create events may be discarded for all file IDs except the lineage root ID. Additionally or instead, delete events may be discarded for all file IDs except the most recent (e.g., the current file ID of the related file IDs). Additionally or instead, rename events to and/or from temporary file extensions may be discarded for all file IDs. The resulting set of events may be used to report (e.g., display or communicate) the list events associated with the requested file ID. For example, referring to the table above, if a query were received for the inode 200, the AVM 334 and/or the API layer 284 may access the lineage index and determine that the inode 100 was a related file ID. All 6 events in the above table may accordingly be retrieved from the analytics datastore 336. The create event #3 may be discarded (e.g., excluded), and only the create event #1 (of the lineage root inode 100) may be retained. The delete event #5 may be discarded (e.g., excluded) as it is not a delete event relating to the current inode ID 200. The rename events #2 and #6 may be discarded (e.g., excluded) as they related to a rename to and/or from a .tmp extension. In this manner, the list of reported events responsive to the query would be Event #1 (Create), Event #4 (Write). This corresponds to the intended operation of a MICROSOFT WORD user creating the sequence of events—the document was created and written to. In this manner, the audit trail metric may be adjusted based on application operation. Similarly, a count of operations performed by a user may include only the create and write actions, with the other actions in the table discarded (e.g., excluded).

In some examples, the AVM 334 and/or API layer 284 may provide a query to provide an aggregate data metric for a particular entity record. For example, access patterns for a particular file may be requested. The AVM 334 (e.g., using an API layer) may have the file ID of the requested file, and may search the lineage index for the file ID to obtain all related lineage IDs. The audit index (e.g., event data 346) may be searched by the AVM 334 to aggregate event data for the object ID and all lineage IDs. As described above with respect to the discarded events, events relating to the temporary file manipulation may be discarded (e.g., excluded). In this manner, the metric 352 may include access patterns for a particular file adjusted by application operation.

In some examples, the AVM 334 and/or API layer 284 may provide a query for a metric involving aggregate data for a list of entity records—e.g., to provide top 5 accessed files. The AVM 334 (e.g., using an API layer) may search the event data 346 (e.g., an events index) for an aggregated count of events per file ID. Rather than only retrieving the requested number of top results, a larger number of results may be retrieved (e.g., 10,000). The results may be compared against the lineage index 338 and results for file IDs related in the lineage index may be combined, e.g., by the AVM 334. For example, the events list may be filtered as described above and the revised events list may be used to generate an aggregated count of events per file ID. The top accessed files may be identified from the revised list. In this manner, the metric 352 may include aggregated data for a set of entity records adjusted in accordance with operation of an application.

Accordingly, examples described herein may provide a lineage for a given file which relates the file to other files which previously existed but were renamed to, moved to, and/or replaced the given file. This may allow for more complete analytics reporting with respect to the file. Metrics may be adjusted in accordance with operation of an application used to manipulate the file. In this manner, events data may be stored and/or modified in a manner that reflects user intention. While examples have been described with respect to MICROSOFT WORD, in other examples, event sequences occurring with other applications may be analogously modified (e.g., other MICROSOFT OFFICE applications, vi editor, etc.). For example, any application that utilizes an event pattern for temporary files may be tracked using lineage techniques described herein. While certain metrics have been described such as number of files, number of operations for a user, top accessed files, audit history for a file, etc. other metrics may additionally or instead be adjusted based on application operation in other examples.

File analytics systems described herein may be utilized to collect, analyze, calculate, report, and/or display various metrics relating to one or more file servers. By utilizing metadata, event data, and/or configuration information which may be collected as described herein various metrics may be obtained and displayed regarding operation of the file server. Note that examples of techniques utilized to persistently store events at the file server until they are consumed (e.g., by one or more analytics VMs), may result in more accurate reporting and metrics being provided from the file analytics system. Because events are persistently stored until consumed, event loss may be reduced and/or eliminated. By reducing the incidence of event loss, resulting metrics calculated and/or reported by the analytics system may have increased accuracy. Examples of metrics, reporting and user interfaces for the file analytics system are described herein, including with reference to FIGS. 4-6 . The metrics shown and described may be obtained, calculated, displayed, or otherwise manipulated using event data that may be obtained using persistent storage techniques and/or other techniques described herein.

As another example, techniques described herein for collecting metadata and/or auditing an analytics datastore using metadata collected from one or more snapshots may be advantageous in presenting accurate analytics information. For example, if active scans of the file server were utilized to collect metadata instead of snapshots, it is possible some directories or metadata may be missed in the collection process. As an active file server is scanned for metadata, for example, consider a directory D under a higher-level directory A in a file server that also contains another higher-level directory B. If the metadata collection process were to conduct a metadata scan of the file server during active operation, it may complete metadata collection from directory B and them begin metadata collection from directory A. However, directory D may then be moved, before its metadata is collected, to directory B. In such a scenario, the metadata collection from directory D may be incomplete or inaccurate. Accordingly, the use of snapshots to collect metadata used by an analytics system may improve the delivery of analytics. Examples of metrics, reporting and user interfaces for the file analytics system are described herein, including with reference to FIGS. 4-6 . The metrics shown and described may be obtained, calculated, displayed, or otherwise manipulated using metadata that may be obtained from snapshots and/or using other techniques described herein.

As another example, techniques described herein for ensuring in-order processing of event data may be advantageous in presenting accurate analytics information. For example, if event data is processed out of order, analytics related to the use of the file system may be inaccurate or incomplete. Examples of metrics, reporting and user interfaces for the file analytics system are described herein, including with reference to FIGS. 4-6 . The metrics shown and described may be obtained, calculated, displayed, or otherwise manipulated using event data that may be obtained using techniques intended to ensure the in-order processing of events and/or using other techniques described herein.

FIGS. 4 and 5 depict exemplary user interfaces 400 and 500/501, respectively, reporting various analytic data based on file server events, according to particular embodiments. The user interfaces 400, and 500/501 may be used, for example, to implement user interface 272 of FIG. 2A and/or UI 348 of FIG. 3D in some examples. As shown in FIG. 4 , a top-left portion of the user interface 400 shows changes in capacity of a file server, a top-middle portion depicts age distribution of files managed by the file server, a top-right portion depicts a recent list of anomaly alerts. A middle-left portion of the user interface 400 depicts permissions denials, a center portion of the user interface 400 depicts file size distribution of files managed by the file server, and the middle-right portion of the user interface 400 depicts file-type distribution of files managed by the file server. A lower-left portion of the user interface 400 depicts a list of most active users of the file server, a lower-middle portion of the user interface 400 depicts a list of most accessed files managed by the file server, and the lower-right portion of the user interface 400 depicts trends in types of access operations performed by the file server.

In some examples, a top number of accessed files may be displayed (e.g., in the middle bottom of FIG. 4 ) together with their details—e.g., filename, file path, owner, and number of events performed on the file over a particular duration (e.g., last 7 days in the example of FIG. 4 ). A top 5 list is shown in FIG. 4 , although other numbers of top files may be used in other examples, such as top 10 or another number. Clicking the file may further display a list of events associated with the file (e.g., an audit history). A top users widget (e.g., bottom left of FIG. 4 ) may display a top number of active users together with information about the users, such as username, last accessed file, number of activities performed by the user in a particular duration, etc. Clicking on a username in the widget may display a list of events (e.g., an audit history) associated with the user.

In some examples a file-type distribution widget may be included in a user interface (e.g., in a middle-right portion of the user interface 400 of FIG. 4 ). The file-type distribution may depict a number of file types (e.g., file extensions and/or categories) for a particular file server (e.g., file server 260 of FIG. 2A and/or distributed file server 322 of FIG. 3D), and a quantity of files in each type. In the example of FIG. 4 , a segmented bar is shown, with segments each corresponding to a category (e.g., a group of one or more file extensions) and a length of the segment corresponding to a number of flies of that type. The data may be displayed in other ways, for example a bar graph may depict file extensions along an x axis and count for a type of file and/or category on the y-axis.

In some examples, a file-size distribution widget may be included in a user interface (e.g., in a center portion of the user interface 400). The file-size distribution widget may display file distribution by size for a particular file server (e.g., file server 260 of FIG. 2A and/or distributed file server 322 of FIG. 3D). The example of FIG. 4 illustrates a number of files fitting into each of several file size ranges. Other representations may be used in other examples. For example, a bar graph may be used having size (or size ranges) on an x-axis and a count of files on the y-axis.

A data age widget may be included in some examples (e.g., in a middle upper portion of FIG. 4 ). The data age widget may illustrate a relative age of files. In some example, the relative age may be based on a last access of the file. For example, the age of a file may refer to how much time has elapsed since the file was last accessed. In the example of FIG. 4 , a total size of data is depicted in each of four age ranges (e.g., less than 3 months, 3-6 months, 6-12 months, >12 months). Other depictions may be used in other examples. A bar graph may show age of files on an x-axis and cumulative size of files of that age on the y-axis.

A files operations widget may be included in some examples (e.g., in a lower right portion of FIG. 4 ). A quantity of each of several event types (e.g., create file, read, write, delete, permission change) that have occurred in a file server over a queried time may be displayed.

A capacity trend widget may be included in some examples (e.g., in an upper left portion of FIG. 4 ). The capacity trend widget shows the pattern of capacity fluctuation for the file system. It shows the capacity e.g., storage added, removed and the net change for a particular duration which may be selected from the widget dropdown in some examples. The capacity calculation may be performed in some examples by an AVM. For example, the capacity trend may be regularly (e.g., hourly, every 15 minutes, every 30 minutes, or some other interval) calculated by the AVM using collected metadata and event data. For example, the AVM may query a file index of the data store to obtain added, deleted, and modified county and/or quantities for each file in a file server. A total change may be calculated based on a total change from the current query plus any previous calculated change amount. Net change may be calculated as files and/or quantity added minus files and/or quantity deleted. Generated statistics may be captured and indexed into a capacity index. A query may be made to the capacity index to provide the output shown in the widget.

An anomaly alert widget may be included in some examples (e.g., in an upper right portion of FIG. 4 ). The anomaly alert widget may show a list of latest anomalies in the file system. An anomaly may refer to, for example, a user performing a number and/or sequence of events that is recognized as anomalous (e.g., changing over a threshold number of file permissions, creating over a threshold number of files, etc.). Anomaly rues may, in some examples, be defined by one or more users of the analytics system described herein and stored in a location accessible to the AVM. The anomaly alert widget may display the anomalous action(s), together with an identification of a responsible user, and a number of files involved.

A permission denial widget may be included in some examples (e.g., in a mid-left portion of FIG. 4 ). The permission denial widget may display a number of users who performed a permission denied operation within a specified time period.

The metrics shown in FIG. 4 and FIG. 5 may be reported by AVM 334 of FIG. 3D in some examples adjusted in accordance with rules to filter out ancillary events taken by applications used by users.

As shown in FIG. 5 , the user interface 500 depicts a distribution of types of events (e.g., close file, create file, delete, make directory, open, read, rename, set attribute, write) performed by a particular user on the file server based on a query over a specified date range. In some examples, the event audit history and/or distribution may be shown per file, per file type, and/or per file server. The user interface 501 depicts a list of the events generated by the query over the specified date range. The user interfaces 400 and 500/501 depicted in FIGS. 4 and 5 , respectively, are exemplary. It is appreciated that the user interfaces 400 and 500/501 may be modified to arrange the information differently. It is also appreciated that the user interfaces 400 and 500/501 may be modified to include additional data, to exclude some of the depicted data, or any combination thereof.

File analytics systems described herein may include other features. In some examples, referring again to the example of FIG. 2A, the events processor 280, the query layer 286, and the policy management layer 283 may manage and facilitate administrator-set archival policies, such as time-based archival (e.g., archive data based on a last-accessed data being greater than a threshold), storage capacity-based archival (e.g., archiving certain data when available storage falls below a threshold), file-type (e.g., file extension) archival, other metadata property-based archival, or any combination thereof.

In some examples, data tiering policies may be determined, changed, and/or updated based on metadata and/or events data collected by file analytics systems. For example, the VFS 160 of FIG. 1A, FIG. 1B, and/or FIG. 1C may implement data tiering. Data tiering generally refers to the process of assigning different categories of data to various levels or types of storage media, typically with the goal of reducing the total storage cost. Tiers may be determined by performance and/or cost of the media, and data may be ranked by how often it is accessed. Tiered storage policies typically may place the most frequently accessed data on the highest performing storage. Rarely accessed data may be stored on low-performance, cheaper storage. Storage tiers are often aligned with a stage in the data lifecycle. The main benefits of tiering data may be around how data is managed through its lifecycle. This is in line with best practice data management policies and can also contribute towards data center and storage management; often the success of tiering will be measured by cost impact.

Virtualized file servers, such as VFS 160 of FIG. 1A, FIG. 1B, and/or FIG. 1C may implement storage tiering. For example, data may be stored in particular media in the storage pool 156 based on a tiering policy. For example, less frequently accessed data may be stored on a lower performing media. The file server VMs and/or controller VMs and/or hypervisors shown in FIG. 1A and/or FIG. 1C may be used to implement a tiering policy and determine on which media to store various data. For example, a tiering engine may be implemented one or more of the nodes of the VFS 160 and may direct the storage and/or relocation of files to a preferred tier of storage.

File analytics systems may provide information to the file server based on captured metadata and/or events data regarding the stored files. The information provided by analytics based on metadata and events may be used by the VFS 160 to implement, create, modify, and/or update tiering policies.

Individual files are may be tiered as objects in a tiered storage (e.g., implemented as part of and/or as an extension of storage pool 156 of FIG. 1A and/or FIG. 1C). When a file is moved to the tiered storage, for example at the direction or request of a tiering engine implemented in VFS 160, the data may be truncated from the primary storage in order to save space. The truncated file remains on the primary storage containing the metadata, e.g., ACLs, extended attributes, alternative data stream, and tiering information, e.g., pointers (such as URLs) to access the objects in the tiered storage containing the file data. When the truncated file on the primary storage is accessed by a client (e.g., by a user VM), the data is available from the tiered storage.

In some examples, the decision to tier and/or how and/or when to tier may be made at least in part by a policy engine implemented by the analytics VM 170 of FIG. 1A and/or FIG. 1C. For example, policy management layer 283 of FIG. 2A may be used to implement the policy engine. The policy engine may determine when to tier based on the tiering policies, file access patterns and/or attributes (e.g., metadata and/or event data obtained by the analytics VM 170 and stored in datastore). The policy engine may keep track of the results of the tiering and untiering executions. For example, when the data is tiered or recalled by a tiering engine of the virtual file server, an event may be generated (e.g., Op code=kTier or kRecall). The tiering event may be sent through the data pipeline (e.g., by producer message handler(s) 312 of FIG. 3A to events processor 316 of FIG. 3A). In this manner, the file analytics system may store indications in the analytics datastore 320 that certain data has been tiered, and on which tier the data (e.g., files reside). Reports and other displays may then be accurate as to the tiering status of files in the virtualized file server.

User interfaces (e.g., UI 272 of FIG. 2A) may provide an interface for a user to view, set, and/or modify the tiering profile. The user interface may be used to obtain information about tiering targets and credentials to be used by the virtualized file server (e.g., VFS 160) to connect and upload files to the tiers. The captured profile details may be communicated to the virtualized file server (e.g., to the tiering engine) via remote command. The user may also set the tiering policy and/or desired free capacity via the UI and this may be stored on an analytics datastore (e.g., database 292 if FIG. 2A). Tiering criteria may be defined, for example exclusion criteria may be defined (e.g., for file size, particular shares, and/or file types, such as categories or extensions) to specify certain items that may not be subject to the tiering policy. Another tiering criteria may be file size and priority for tiering. Another tiering criteria may be tier threshold age. Another tiering criteria may be file type (e.g., category and/or extension) and priority. The policy engine (e.g., policy management layer 283 of FIG. 2A) may be implemented using cron job that may run periodically and may be based on tiering policy and desired capacity may wholly and/or partially determine the candidate files for moving to a particular tier. The list of files which meet the criteria for a particular tier may be communicated to the tiering engine of the VFS via a remote command.

The tiering engine of the VFS (which may be hosted, e.g., on node 102, node 104, and/or node 106 of FIG. JA and/or FIG. 1C) may tier the files to the specified tiering targets responsive to instructions from the analytics policy engine. For example, the policy engine of the analytics system may evaluate a capacity of the VFS. If a capacity threshold is exceeded, the analytics system may itself and/or communicate with the VFS (e.g., with the tiering engine) to identify files in accordance with the tiering policy for tiering. The files may be grouped for tiering by ID in each share and a task entry may be made for each group. The tasks may be executed by the tiering engine of the VFS, which may in some examples generate the tasks, and in some examples may receive the tasks from the analytics system (e.g., the policy engine). Once the files have been tiered the tiering engine may send audit events for each of the tiered files to the analytics VM 170. The audit events may contain the object identifier (e.g., file ID) and the tier target (e.g., tier to which the file ID is tiered). The tier audit event may be stored in the datastore (e.g., database 292 of FIG. 2A) and the state of the file ID may be updated to “Tiered” when tiered. In case of tiering failure the audit event may contain a reason and file table entry for that file will be updated with it.

The user may (e.g., through UI 272) set an automatic recall policy while setting up the tiering policy. The recall policy may, for example, be based on how many accesses (e.g., reads and/or writes) within a period may trigger a recall. Other users (e.g., admins) may also initiate the recall of specific tiered files, according to the users' requests. In case of manual recall, a user may provide a file, directory and/or a share for recall. The request may be saved in an analytics datastore (E.g., analytics datastore 292 of FIG. 2A) and accessed by a backend recall process.

In some examples, the tiering engine of the VFS may collect file server statistics used to make a tiering decision (e.g., network bandwidth, pending tiering requests). The analytics VM 170 may access the file server statistics collected by the tiering engine, e.g., through one or more API calls and/or audit events. The file server statistics may be used by the analytics VM (e.g., the policy engine) to control the number of tiering requests provided to the VFS.

Based on the collected information and current state of the objects, the analytics system (e.g., analytics VM 170, such as through the policy engine) may calculate the projected storage savings using a particular tiering selection on a time scale. This information may aid users to configure snapshot and tiering policies for most effective utilization of the VFS, balancing between performance and cost in some examples.

Accordingly, tiering engines in a VFS may utilize file analytics determined based on collected metadata and/or events data from the VFRS to make decisions on which files to tier and subsequently truncate from the primary storage. File analytics systems (e.g. AVMs) may additionally or instead decide to untier files based on user defined recall policy (e.g., based on access pattern as determined using collected event data and metadata) and/or based on manual trigger. The policy engine of the analytics VM may generally include a collection of services which may work together to provide this functionality. The policy engine may execute the tiering policy in the background, and call VFS APIs to tier and recall files. The policy engine may keep track of tiered files, and/or the files in the process of being tiered or recalled.

In some examples, a file analytics system, e.g., AVM 270 of FIG. 2A, such as by using the machine learning service 285, may be implemented to enhance detection of malicious software activity and/or anomalous user activity. FIG. 6 depicts an example user interface 600 reporting various anomaly-related data, according to particular embodiments. As shown in FIG. 6 , the top portion of the user interface 600 shows changes in a number of detected anomalous events over time. The lower left portion of the user interface 600 depicts a list of users that have cause the most detected anomalous activity, the lower middle portion of the user interface 600 depicts a list of folders have experienced the most detected anomalous activity, and the lower right portion of the user interface 600 depicts frequency of each type of anomaly-inducing event. The user interface 600 depicted in FIG. 6 is exemplary. It is appreciated that the user interface 600 may be modified to arrange the information differently. It is also appreciated that the user interface 600 may be modified to include additional data, to exclude some of the depicted data, or any combination thereof.

A variety of user interfaces may be provided to administer, and/or receive information about ransomware in a virtualized file server (e.g., utilizing UI 272 of FIG. 2A). In some examples, the UI 272 may provide a ransomware policy management page allowing for a user to add and/or remove and/or modify file extensions and file name patterns that analytics VM 270 may recognize and report as ransomware. In some examples, the UI 272 may provide a display of a ransomware dashboard (e.g., the user interface 600). The dashboard may display for example, an infection status (e.g., number of infected files, number of infected shares, and/or provide an infected file list for display and/or download). The dashboard may display SSR status (e.g., a list of shares that have SSR enabled). The dashboard may display a number of vulnerabilities (e.g., infection attempts)—this may include, for example, total vulnerabilities, vulnerable shares, and/or malicious clients. The dashboard may display most recent ransomware attack attempts (e.g., time of attack, share, client, and/or blocked file extension). The dashboard may display a list of vulnerable shares (e.g., share name, path, status, protection status, and/or vulnerabilities). The dashboard may display a list of malicious clients (e.g., client IP, user, share accessed, and/or operation performed).

The information for the dashboard may be obtained by analytics VM 270 querying metadata and/or events data maintained in analytics datastore 292 (e.g., datastore 320 of FIG. 3A). For example, the analytics VM may utilize a query for audit events having an indicator of ransomware attack (e.g., in a ransomware attack field of the event store). Counting the number of such events may provide a number of infection attempts, and the shares corresponding to files implicated by those events may provide a list of vulnerable shares.

FIG. 7A illustrates a clustered virtualization environment 700 implementing file server virtual machine (FSVM) 766 of a virtualized file server (VFS) and an analytics VM 770 according to particular embodiments. The FSVM 766 may be configured to manage a subset of the storage items of the VFS, and may include or may be associated with an audit framework 762 that is configured to capture event data records and metadata, and provide the event data records and metadata to the analytics VM 770. In some examples, while the audit framework 762 is depicted as being part of the FSVM 766, the audit framework 762 may be hosted another component (e.g., application, process, and/or service) of the VFS or of the distributed computing system without departing from the scope of the disclosure.

The analytics VM 770 may include an events processor to retrieve, organize, aggregate, and/or analyze information corresponding to the VFS file system in an analytics datastore 720. The VFS 160 and/or the analytics VM 170 of FIG. 1A and/or FIG. 1C, and/or the VFS 260 and/or the analytics VM 270 of FIG. 2A, and/or the VFS 360 (e.g., an FSVM of the VFS) and/or the analytics VM 370 of FIG. 3A and/or the AVM 334 of FIG. 3D may be used to implement and/or be implemented by the FSVM 766 of the VFS file system and/or the analytics VM 770, respectively. The architecture of FIG. 7A can be implemented using a distributed platform that contains a cluster of multiple host machines that manage a storage pool, which may include multiple tiers of storage.

To capture event data, the audit framework 762 may include a connector publisher (service connector 713) that is configured to publish the event data records and other information for consumption by other services using a message system. The event data records may include data related to various operations on files of the file system managed by the FSVM 766 of the VFS, such as adding, deleting, moving, modifying, etc., a file, folder, directory, share, etc. The event data records may indicate an event type (e.g., add, move, delete, modify, a user associated with the event, an event time, etc.).

The audit framework 762 may include an audit queue 711, an event logger 712, the event log 771, and the service connector 713. The event log 771 may be specifically tied to the audit framework 762. The event log 771 may be capable of being scaled to store all event data records and/or metadata for the FSVM 766 according to a retention policy. The audit queue 711 may be configured to receive event data records and/or metadata from the VFS via network file server or server message block server communications 704, and to provide the event data records and/or metadata to the event logger 712. The event logger 712 may be configured to store the received event data records and/or metadata from the audit queue 711.

The event logger 712 may coordinate all of the event data and/or metadata writes and reads to and from the event log 771, which may facilitate the use of the event log 771 for multiple services. In some examples, the event data records may be stored with a unique index value, such as a monotonically increasing sequence number, which may be used as a reference by the requesting services to request a specific event data record, as well as by the event logger 712 and/or audit framework 762 to maintain a chronological sequence of event data records. The event logger 712 may keep the in-memory state of the write index in the event log 771, and may persist it periodically to a control record (e.g., a master block). When the audit framework is started or restarted, the master record may be read to set the write index.

In some examples, the analytics VM 770 and/or the audit framework 762 may include protections to prevent event data from being lost. In some examples, the audit framework 762 may store (e.g., maintain) event data until it is consumed by the analytics VM 770. For example, if the analytics VM 770 (e.g., or the message system) becomes unavailable, the audit framework 762 may store the event data until the analytics VM 770 (e.g., or the message system) becomes available.

In some examples, the audit framework 762 may persistently store event data records according to a data retention policy (e.g., until a specific number of event data records have been reached, until the event data record exceeds a particular retention policy age limit, until the event data record is successfully provided to a particular requesting service (e.g., the analytics tool), until a total storage limit is exceeded, or some other retention criteria). Thus, if the requesting service or the message system) becomes unavailable, the file server may persistently store the event data until the requesting service becomes available.

To support the persistent storage, and well as provision of the event data to the analytics VM 270, the FSVM 766 may include an audit framework 762 that includes a dedicated event log (e.g., tied to a FSVM-specific volume group) that is capable of being scaled to store all event data and/or metadata for a particular FSVM until successfully sent to the analytics VM 770. The audit framework may include an audit queue, an event logger, an event log, and a service connector. The audit queue may be configured to receive event data and/or metadata from the FSVM 766 via network file server or server message block server communications, and to provide the event data and/or metadata to the mediator. The event logger may be configured to store the received event data and/or metadata from the audit queue, as well as retrieve requested event data and/or metadata from the event log in response to a request from the service connector. The service connector may be configured to communicate with other services (e.g., such as a message topic broker/events processor of the analytics VM 770) to respond to requests for provision of event data and/or metadata, as well as receive acknowledgments when event data and/or metadata are successfully received by the analytics VM 770. The events in the event log may be uniquely identified by a monotonically increasing sequence number, will be persisted to an event log and will be read from it when requested by the service connector.

The event logger may coordinate all of the event data and/or metadata writes and reads to and from the event log, which may facilitate the use of the event log for multiple services. The event logger may keep the in-memory state of the write index in the event log, and may persist it periodically to a control record (e.g., a master block). When the audit framework is started or restarted, the master record may be read to set the write index.

Multiple services may be able to read from event log via their own service connectors (e.g., Kafka connectors). A service connector may have the responsibility of sending event data and metadata to the requesting service (e.g., such as the message topic broker/events processor of the analytics VM 770) reliably, keeping track of its state, and reacting to its failure and recovery. Each service connector may be tasked with persisting its respective read index, as well as being able to communicate the respective read index to the event logger when initiating an event read. The service connector may increment the in-memory read index only after receiving acknowledgement from its corresponding service and will periodically persist in-memory state. The persisted read index value may be read at start/restart and used to set the in-memory read index to a value from which to start reading from.

FIG. 7B depicts an example sequence diagram 701 for managing read and write indexes for storage of event data records via the audit framework 762 in accordance with embodiments of the disclosure. FIG. 7B depicts event log 771 write operations W1-W6 and read operations R1-R6. For the write operations, the audit framework 762 may receive the first event data from the FSVM 766 (W1) and may store the first event data in the event log 771 as index 1 event data (W2). After storing the first event data, the audit framework 762 may update the write index value (W3). Subsequently, the audit framework 762 may receive the second event data from the FSVM 766 (W4) and may store the second event data in the event log 771 as index 2 event data (W5). After storing the second event data, the audit framework 762 may update the write index value (W6).

For the read operations, the audit framework 762 may receive a request for event data from the analytics VM 770 (R1) and may retrieve the analytics VM 770 read index value (R2). Based on the retrieved read index value store, the audit framework 762 may retrieve the index 1 event data from the event log 771 (R3), and may provide the index 1 event data to the analytics VM 770 (R4). The analytics VM 770 may provide an index 1 event data acknowledgment message to the audit framework 762 (R5). In response to receipt of the index 1 event data acknowledgment message, the audit framework 762 may update the read index value for the analytics VM (R6).

The sequence diagram 701 of FIG. 7B is exemplary, and other implementations may be utilized to ensure event data record read and write indexes are maintained to ensure chronological storage and recovery of the event data records. It is appreciated that more than two event data records may be written to the event log 771 and that more than one event data record may be read from the event log 771 without departing from the scope of the disclosure. It is also appreciated that event log 771 read and write operations may be interleaved or in any order without departing from the scope of the disclosure.

During service start/recovery, a service connector (e.g., service connector 713) may detect its presence and initiate an event read by communicating the read index to the event logger (e.g., event logger 712) to read from the event log as part of the read call. The event logger may use the read index to find the next event to read and send to the requesting service (e.g., the message topic broker/events processor of the analytics VM 770) via the service connector.

While the clustered virtualization environment 700 of FIG. 7A only depicts a single FSVM 766 of the VFS, it is appreciated that the clustered virtualization environment 700 may include additional FSVMs without departing from the scope of the disclosure. Applications or services other than the analytics VM 770 may be configured to interact with the audit framework 762 to retrieve event data records pertaining to the VFS without departing from the scope of the disclosure. As previously discussed, the audit framework and event log may be tied to a particular FSVM in its own volume group. Thus, if a FSVM is migrated to another computing node, the event log may move with the FSVM and be maintained in the separate volume group from event logs of other FSVMs.

FIG. 8 depicts a block diagram of components of a computing node (device) 800 in accordance with embodiments of the present disclosure. It should be appreciated that FIG. 8 provides only an illustration of one implementation and does not imply any limitations with regard to the environments in which different embodiments may be implemented. Many modifications to the depicted environment may be made. The computing node 800 may implemented as at least part of the system 100 of FIG. 1A, FIG. 1B, and/or FIG. 1C, the clustered virtualization environment 200 of FIG. 2A, and/or may be configured to perform host at least part of the virtualized file server 360 and/or the analytics virtual machine 370 of FIG. 3A, host at least part of the distributed file server 322 and/or the AVM 334 of FIG. 3D and/or the FSVM 766 and/or the analytics virtual machine 770 of FIG. 7A and/or FIG. 7B. In some examples, the computing node 800 may be a standalone computing node or part of a cluster of computing nodes configured to host a file analytics tool 807 (e.g., any of the analytics VMs described herein).

The computing node 800 includes a communications fabric 802, which provides communications between one or more processor(s) 804, memory 806, local storage 808, communications unit 810, I/O interface(s) 812. The communications fabric 802 can be implemented with any architecture designed for passing data and/or control information between processors (such as microprocessors, communications and network processors, etc.), system memory, peripheral devices, and any other hardware components within a system. For example, the communications fabric 802 can be implemented with one or more buses.

The memory 806 and the local storage 808 are computer-readable storage media. In this embodiment, the memory 806 includes random access memory RAM 814 and cache 816. In general, the memory 806 can include any suitable volatile or non-volatile computer-readable storage media. In an embodiment, the local storage 808 includes an SSD 822 and an HDD 824.

Various computer instructions, programs, files, images, etc. may be stored in local storage 808 for execution by one or more of the respective processor(s) 804 via one or more memories of memory 806. In some examples, local storage 808 includes a magnetic HDD 824. Alternatively, or in addition to a magnetic hard disk drive, local storage 808 can include the SSD 822, a semiconductor storage device, a read-only memory (ROM), an erasable programmable read-only memory (EPROM), a flash memory, or any other computer-readable storage media that is capable of storing program instructions or digital information.

The media used by local storage 808 may also be removable. For example, a removable hard drive may be used for local storage 808. Other examples include optical and magnetic disks, thumb drives, and smart cards that are inserted into a drive for transfer onto another computer-readable storage medium that is also part of local storage 808. The local storage may be configured to store executable instructions for the file analytics tool 807 or the audit framework 809. The file analytics tool 807 may perform operations described with reference to the AVM 170 of FIG. 1A and/or FIG. 1C, the AVM 270 of FIG. 2A, the analytics VM 370 of FIG. 3A, and/or the analytics VM 770 of FIG. 7A and/or FIG. 7B, in some examples. The audit framework 809 may perform operations described with reference to the audit framework of the VFS 160 of FIG. 1A, FIG. 1B, and/or FIG. 1C, the audit framework of the VFS 260 of FIG. 2A, the audit framework 362 of FIG. 3A, and/or the audit framework 762 of FIG. 7A and/or FIG. 7B, in some examples.

Communications unit 810, in these examples, provides for communications with other data processing systems or devices. In these examples, communications unit 810 includes one or more network interface cards. Communications unit 810 may provide communications through the use of either or both physical and wireless communications links.

I/O interface(s) 812 allows for input and output of data with other devices that may be connected to computing node 800. For example, I/O interface(s) 812 may provide a connection to external device(s) 818 such as a keyboard, a keypad, a touch screen, and/or some other suitable input device. External device(s) 818 can also include portable computer-readable storage media such as, for example, thumb drives, portable optical or magnetic disks, and memory cards. Software and data used to practice embodiments of the present disclosure can be stored on such portable computer-readable storage media and can be loaded onto local storage 808 via I/O interface(s) 812. I/O interface(s) 812 also connect to a display 820.

Display 820 provides a mechanism to display data to a user and may be, for example, a computer monitor. In some examples, a GUI associated with the user interface 272 of FIG. 2A may be presented on the display 820, such as the example user interfaces depicted in FIGS. 4-6 .

FIG. 9A depicts an example pattern of file server events indicating malicious activity (e.g., ransomware attack), in accordance with embodiments of the present disclosure. File analytics systems (e.g., analytics VM 170 of FIG. 1A) may, in some examples, detect ransomware attacks through patterns, sets, or series of file operation events (e.g., file system events). The analytics VM 170 may analyze the set of file operation events to detect a ransomware attack. For example, the analytics VM 170 may monitor and/or query events stored in the datastore 190 of FIG. 1A and/or datastore 320 of FIG. 3A to identify ransomware.

The example pattern 900 shown in FIG. 9A may be an overwrite pattern. An overwrite pattern may include open, read, write, and close events for a file. In an overwrite pattern 900, a user file may be overwritten by opening the file, reading the content, writing encrypted contents in-place, and then closing the file. The file may additionally be renamed. In some examples, the analytics VM 170 may recognize this pattern of events as malicious activity, such as a ransomware attack. When this pattern of events occurs, as identified by the pattern of events being received by the events processor 316 and/or being stored in the analytics datastore 320, the analytics VM 170 may identify the ransomware attack and issue a notification and/or take a remediation action.

FIG. 9B depicts an example pattern 905 of file server events indicating malicious activity, in accordance with embodiments of the present disclosure. The pattern 905 may be a read-encrypt-delete pattern, including a read pattern 906, an encrypt pattern 907, and a delete pattern 908. In a read-encrypt-delete pattern 905, file contents may be read (e.g., in read pattern 906), encrypted contents may be written (e.g., in encrypt pattern 907), and the files may be deleted without removing the files completely from storage (e.g., in delete pattern 908). For example, a file may be moved to a temporary folder, read and opened, and the encrypted file may be moved back to the original directory. In some examples, the analytics VM 170 may recognize this pattern 905 of events as malicious activity, such as a ransomware attack. When this pattern of events occurs, analytics VM 170 may identify the ransomware attack and issue a notification and/or take a remediation action.

FIG. 9C depicts an example pattern 910 of file server events indicating malicious activity, in accordance with embodiments of the present disclosure. The pattern 910 may be a read-encrypt-overwrite pattern, including a read pattern 911, an encrypt pattern 912, and an overwrite pattern 913. Using a read-encrypt-overwrite pattern, a user file may be read (e.g., in read pattern 911), a new encrypted version of the file may be created (e.g., in encrypt pattern 912), and the original file may be securely deleted of overwritten (e.g., in overwrite pattern 913). A read-encrypt-overwrite pattern 910 may use two independent access streams to read and write data. In some examples, the analytics VM 170 may recognize this pattern 910 of events as a ransomware attack. When this pattern of events occurs, analytics VM 170 may identify the ransomware attack and issue a notification and/or take a remediation action.

FIG. 10A depicts an example hierarchical structure of a portion of a VFS 1060 during remediation following detection of malicious activity, in accordance with embodiments of the present disclosure. The VFS 1060 may be implemented using any of the methods, structures, and/or components described with respect to the VFS 160, 360, and/or 322 and may have any of the functionality described with respect to the VFS 160, 360, and/or 322. FSVMs 1062 and 1064 form at least a portion of the VFS 1060 and may be implemented using any of the methods, structures, and/or components described with respect to FSVMs 162, 164, 166, 262, 264, 266, 324, 326, and/or 328 and may have any of the functionality described with respect to the FSVMs 162, 164, 166, 262, 264, 266, 324, 326, and/or 328. The share 1080, or portions of the share 1080, are distributed across the FSVMs 1062 and 1064. The share 1080 includes a first directory (e.g., folder-1 1082 and a file-1 1988), a second directory (e.g., including a folder-2 1084, a folder-3 1090, and a file-2 1094), and a third directory (e.g., including a folder-4 1086 and a file-3 1092). In various examples, the share 1080 may be sharded such that the FSVM 1062 and the FSVM 1064 each manage one or more of the directories of the share 1080.

An AVM 1070 may be used to monitor and manage the VFS 1060. The AVM 1070 may be implemented using any of the methods, structures, and/or components described with respect to the analytics VM 170, 270, 370, 334, and/or 770 and may have any of the functionality described with respect to the analytics VM 170, 270, 370, 334, and/or 770. To prevent and/or remediate attacks from known or suspected ransomware signatures, the AVM 1070 may use file blocking policies and self-service restore (SSR) capabilities of the VFS 1060. For example, the AVM 1070 may utilize an API interface to the VFS 1060 to perform file blocking, preventing files from being created or renamed where the created or renamed files would have names or properties corresponding with known ransomware names or properties. The AVM 1070 may further detect malicious activity and communicate with the VFS 1060 to contain malicious activity and remediate and/or recover affected shares after malicious activity (e.g., ransomware attacks). For example, the AVM 1070 may detect malicious activity based on a pattern (e.g., patterns 900, 905, and/or 910), characteristics of files (e.g., entropy), or other criteria and identify file-2 1094 and file-3 1092 as affected by a ransomware attack. For example, a user may have executed file operations on each of file-2 1094 and file-3 1092 showing a read-encrypt-delete pattern 905. In response the AVM 1070 may change the permissions of file-2 1094 and file-3 1092 to be read-only for all users, preventing further changes to the files even in ransomware attacks involving multiple users and/or IP addresses. In some examples, the AVM 1070 may further change permissions for directories including the affected files and/or the entire share. The AVM 1070 may change permissions by, for example, utilizing an API interface to the VFS 1060 to update read/write permissions for files of the VFS 1060.

To recover the VFS 1060 after a detected attack, the AVM 1070 may utilize snapshots of shares, files, directories, or other components of the VFS 1060 taken before the detected attack. In some examples, the snapshots are immutable snapshots, providing a reliable source of backup data for remediation of the VFS 1060. For example, as shown in FIG. 10A, the AVM 1070 may mount a share snapshot 1081 of the share 1080. The share snapshot 1081 may include snapshots of the directories and files of the share 1080. Snapshots may, in some examples, be taken of the VFS 1060 at regular time intervals (e.g., for backup of the VFS 1060). In some examples, the share snapshot 1081 may be constructed from a base snapshot of the share 1080 updated by delta snapshots reflecting changes to the share 1080 made since the preceding snapshot of the share 1080. For example, the share snapshot 1081 includes a first directory (e.g., folder-1 snapshot 1083 and file-1 snapshot 1089), a second directory (e.g., folder-2 snapshot 1085, folder-3 snapshot 1091, and file-2 snapshot 1095), and a third directory (e.g., folder-4 snapshot 1087 and file-3 snapshot 1093). The AVM 1070 may use snapshots of directories, folders, and/or files from the share snapshot 1081 to recover an affected share 1080 after detection of malicious activity.

FIG. 10B depicts an example hierarchical structure of a portion of the VFS 1060 following remediation after detection of malicious activity, in accordance with embodiments of the present disclosure. As shown in FIG. 10B, after remediation of the share 1080, the affected files may be replaced with snapshots of the affected files taken before the detected malicious activity (e.g., ransomware attack). For example, the recovered share 1080 includes file-2 snapshot 1095 in place of affected file-2 1094 and file-3 snapshot 1093 in place of affected file-3 1092.

FIG. 11 is a flow chart of example operations 1100 for detection of malicious activity on a file server in accordance with embodiments of the present disclosure. The analytics system monitors file server events at block 1102. While the operations 1100 are described as being performed by the AVM 1070, the operations 1100 may, in various examples, be performed by other analytics systems described herein (e.g., the analytics VM 170, 270, 370, 334, and/or 770). The AVM 1070 may query metadata and/or events maintained in the analytics datastore 292 (e.g., datastore 320 of FIG. 3A) to monitor file server events. File server events may include patterns (e.g., patterns 900, 905, and/or 910) of activities with respect to files of the file server, attempts to create or save a file with characteristics indicating malicious activity (e.g., using an extension on the denylist), and/or observation of file attributes, such as entropy and the like.

In some examples, the events processor 280 of FIG. 2A and/or events processor 316 of FIG. 3A may monitor file system events. For example, the events processor 280 may scan incoming events for “access denied” (e.g., file blocking policy) events based on requests to create and/or rename files. The events processor 280 may then ascertain whether the extension of the file and/or file name pattern associated with attempted event matches with extensions and/or file name patterns stored in a denylist set of known of and/or suspected ransomware. Such a list may be stored in-memory by the events processor in some examples. Audit events determined to be associated with ransomware may be marked accordingly (e.g., by updating a field, e.g., a ‘ransomware_attack’ field) in the record for the event stored in the datastore. Other indicators may also be used. Such an indicator may support later queries of the datastore for ransomware events and related analytics. The events processor may periodically reload (e.g., through an event driven framework supported by publish subscribe mechanisms) new and/or changed ransomware signatures for detection. The ransomware signatures may be added and/or changed, for example, by a user through a user interface.

At block 1104, the AVM 1070 detects one or more file server events for a file matching a criteria indicating malicious activity. The criteria may include, for example, patterns of file server events matching patterns associated with malicious activity (e.g., patterns 900, 905, and/or 910), files of the VFS 1060 having characteristics indicating malicious activity (e.g., measurements of entropy within a file), attempts to save a file with a restricted property (e.g., denylisted extension or file name extension), or other criteria. The AVM 1070 may obtain and/or store criteria at an analytics datastore (e.g., analytics datastore 320 of FIG. 3A) and/or may obtain criteria from the VFS 1060. For example, criteria may be included in file blocking policies of the VFS 1060 and/or may be provided to the VFS 1060 or AVM 1070 through a user interface, such as UI 272 of FIG. 2A.

In some examples, event pattern analysis may be implemented by the AVM 1070 using a supervised machine learning algorithm, other machine learning technique and/or neural network and/or by similarity measurement and consideration of file entropy (e.g., a measure of the “randomness” of the data in a file—measured on a scale of 1 to 8, where typical text files will have a low value, and encrypted or compressed files will have a high measure). The machine learning technique may identify files that are or have been subject to a ransomware attack. In some examples, the similarity measurement and/or file entropy measurement may indicate that the file is or has been subject to a ransomware attack.

Responsive to detection of malicious activity, the AVM 1070 modifies access to the file at block 1106. For example, the AVM 1070 may modify access to the affected file, a directory including the affected file, a share including the affected file, or the like, by making the file, directory, and/or share read only for some or all users accessing the VFS 1060. As shown in FIG. 10A, the AVM 1070 may modify access by making affected files read-only while the share 1080 remains accessible. In some examples, the AVM 1070 may modify access for the share 1080 or for directories in the share 1080 including affected files. For example, the AVM 1070 may make an API call to the VFS 1060 instructing the VFS 1060 to change permissions for the file, directory, and/or share such that the file, directory, and/or share cannot be written to or otherwise changed by users. Modifying access may further include blocking users or clients associated with the identified file server events from accessing the share. For example, where the AVM 1070 detects an overwrite pattern 900 for a file, the AVM 1070 may identify a client IP address performing the overwrite operations of the pattern 900 and may communicate with the VFS 1060 to block the client IP address from accessing the share and/or the VFS 1060 as a whole. Accordingly, the client may be prevented from attacking additional files stored at the VFS 1060. Modifying access to a share or file of the VFS 1060 for users (e.g., making files read-only for users) may prevent further action by other users and, accordingly, may lessen the effects of a coordinated ransomware attack which may involve multiple users and/or IP addresses encrypting files stored at the VFS 1060. Access may be modified for all users with access to a share of the VFS 1060 or may be modified for a subset of users with access to a share of the VFS 1060. For example, access may be modified for non-administrative users, without modifying access for administrative users. Similarly, access may be modified for other subsets of users, such as active users, users having write privileges, and the like. When blocking a user associated with malicious activity, that user may be prevented from making additional changes but other users may continue the attack. Making a share of the VFS 1060 read only for all users prevents additional data loss from encryption of additional files in the share by other users.

FIG. 12 is a flow chart of example operations 1200 for recovery of a file server, or portion of a file server, from a malicious attack in accordance with embodiments of the present disclosure. While the operations 1200 are described as being performed by the AVM 1070, the operations 1200 may, in various examples, be performed by other analytics systems described herein (e.g., the analytics VM 170, 270, 370, 334, and/or 770). In some examples, another computing system and/or another VM may perform the operations 1200. At block 1202, the AVM 1070 identifies files affected by malicious activity. Once the AVM 1070 (e.g., using an anomaly engine detecting patterns and/or running a machine learning algorithm) detects the ransomware attack, the AVM 1070 may send an alert (such as an email alert) and may mark the affected share (e.g., a share including the affected files) and/or affected files in a share as read only. To mark the share as read only, the AVM 1070 may make an API call to the virtualized file server to mark files and/or a share as read only, such that the no further changes to the files and/or share are accepted by the VFS 1060. In some examples, an affected file share may include only the file subject to the detected ransomware attack. In some examples, the file share may include other files in addition to the file subject to the detected ransomware attack, such as all files stored at the same computing node and/or same block or volume.

In some examples, the AVM 1070 may, after identifying files affected by malicious activity, generate a report on the number of files (and file details) impacted with details of paths that may be used for recovery purposes. For example, an event driven framework supported by a publish-subscribe mechanism may be used to send an email notification to end users when a ransomware attack is detected and/or suspected. Once a ransomware attack has been detected and/or suspected (e.g., by the anomaly detection service 291), the corresponding share of the VFS 1060 having the impacted or affected file may be added to an existing topic (e.g., a Kafka topic). The events processor may then call a notify process to send an email notification regarding the affected files.

The AVM 1070 mounts an affected share and snapshots of the affected share at block 1204. By the time a ransomware attack is detected and recovery begins, there is a possibility of few files being compromised. The a file analytics system (e.g., the AVM 1070), may detect compromised files by analyzing events data and building the path for the affected files. Once the file path and name is available, the AVM 1070 may mount an immutable snapshot of the affected share, such as share snapshot 1081 of share 1080 in FIG. 10A. For example, the AVM 1070 may locate the snapshot using the file path \\share-name\.snapshot and, once the snapshot is mounted, may traverse the files of the snapshot based on the file path and copy those files in a “recover-temp” folder in the local file analytics system. Using the file path, the AVM 1070 further mounts the affected share (e.g., the share 1080 including affected file-2 1094 and affected file-3 1092).

At block 1206, the AVM 1070 recovers the affected share by copying snapshots of affected files to the affected share. In some examples, the AVM 1070 may delete affected files from the affected share. Once the affected files are deleted, the AVM 1070 may copy files from the “recover-temp” folder containing the snapshots of the files. In this manner, the affected or attacked files may be deleted and replaced with a previous (e.g., most recent) version of the files from prior to the attack from a stored snapshot. For example, the recovered share 1080 shown in FIG. 10B includes file-2 snapshot 1095 in place of affected file-2 1094 and file-3 snapshot 1093 in place of affected file-3 1092. Further, the AVM 1070 may recover affected shares without additional input or action from, for example, a systems administrator, such that files are recovered quickly.

The AVM 1070 mounts the recovered share to the VFS 1060 at block 1208. When mounting the recovered share to the VFS 1060, the snapshots may be given the same permissions as the affected files prior to the attack. For example, users who were able to edit the files (e.g., with read/write permission) may continue to edit the snapshots and users who had read-only access may continue with read-only access. In some examples, users associated with the attack or malicious activity may be blocked from editing the files and/or may be blocked from accessing the share and/or the VFS 1060. The recovery operations 1200 may occur automatically, without additional intervention from administrative users. Accordingly, a share affected by a ransomware attack may be restored for users quickly, relative to manual restoration. For example, the AVM 1070 may mount a snapshot of an affected share responsive to detection of malicious activity without further intervention by administrative users or others. Where files of the VFS 1060 are accessed and updated often, this may simplify recovery and lessen data loss from a ransomware attack, as there is less down time between detection and recovery, where users may, for example, save changes as new files elsewhere in the VFS 1060 or external to the VFS 1060.

FIG. 13 is a flow chart of example operations 1300 for updating a malware detection system in accordance with embodiments of the present disclosure. While the operations 1300 are described as being performed by the AVM 1070, the operations 1300 may, in various examples, be performed by other analytics systems described herein (e.g., the analytics VM 170, 270, 370, 334, and/or 770). In some examples, a different VM and/or computing system may perform the operations 1300. The AVM 1070 generates a notification of malicious activity at block 1302. The notification of malicious activity may include, in various examples, details about files and/or shares affected by the attack, actions taken to remediate the VFS 1060 responsive to the malicious activity, actions taken to recover the VFS 1060 responsive to the malicious activity, and/or other information about the malicious activity and its detection. The notification may, in some examples, be delivered as an email message, push notification, text message, or similar message to a system administrator. In some examples, the notification may be provided through a user interface to the analytics system, such as the UI 272 in FIG. 2A. The AVM 1070 may, in some examples, deliver the notification before full recovery of the VFS 1060. For example, the AVM 1070 may send the notification upon detection of malicious activity and protecting the VFS 1060 from further attack (e.g., by making affected shares read-only and blocking IP addresses involved in the attack). In some examples, the notification may be delivered after full recovery of affected shares of VFS 1060 (e.g., by replacing affected files with snapshot copies).

At block 1304, the AVM 1070 reports malicious activity, including one or more file server elements affected by malicious activity and subsequently restored (e.g., recovered). A report may be, in some examples, provided as an email or other message to a system administrator or the like. In some examples, the AVM 1070 may update a dashboard (e.g., the dashboard provided by the user interface 600) to reflect the malicious activity detected by the AVM 1070.

The AVM 1070 updates a file blocking policy based on file server events associated with malicious activity at block 1306. For example, in addition to blocking an IP address and/or other identifying indicia (e.g., deactivating access credentials) of the suspected attacker or multiple suspected attackers, the AVM 1070 may update the file blocking policy to include filenames, extensions, and/or signatures used in the attack. Accordingly, files with the same filename, extensions, and/or signatures may be blocked from creation at the VFS 1060, either through creation of new files or through renaming of existing files.

The analytics system described herein provides detection of malicious activity and may provide immediate recovery from malicious activity (e.g., ransomware attacks). In addition to providing protection from known ransomware attacks (e.g., with known file extensions, IP addresses, file names, and the like) using denylists, the analytics system may detect malicious activity based on other criteria, such as file event patterns associated with malicious activity and characteristics of files saved to a virtualized file system. The additional criteria may facilitate detection of malicious activity not associated with known attacks, providing more protection from novel attacks without modifying file blocking policies and/or denylists. Further, the analytics system may take immediate action to recover a file system after detection of such an attack, which may reduce impact from such attacks. For example, by immediately updating access to affected files and/or directories and restoring affected shares from snapshots, the analytics system may in some examples reduce the number of files affected by attacks and may reduce data loss from such attacks compared to other methods of detecting and recovery from malicious activity in virtualized file servers.

In some examples, systems and methods described herein may include validation of candidate files suspected of being affected by malicious activity. Validation may be used to reduce and/or eliminate false positives detections of malicious activity. For example, a certain set of file server events or a threshold level of file entropy or other indication may be used to identify candidate files that are suspected of being affected by malicious activity. In some examples, this may be a large number of files and/or file shares or other storage items. In some examples, the malicious activity may not be malicious—e.g., a user may have innocently caused the file server events and/or level of entropy, or another reason may cause a false positive, where a file or file share or other storage item is suspected of being affected by malicious activity, but has not been.

While examples are described where an analytics VM performs the malicious activity detection, validation, and/or remediation, it is to be understood that in some examples, a VM may not be used to implement the described functionality. For example, cloud or other computing systems may be used and may utilize one or more containers, processing modules, daemons, engines, or other computing system components to perform the described functionality.

FIG. 14 is a flow chart of example operations for recovery of a file server, or portion of a file server, from a malicious attack in accordance with embodiments of the present disclosure that include operations to validate the files, file share(s), directories, or other storage items affected by the malicious activity. While the operations 1200 are described as being performed by the AVM 1070, the operations 1200 may, in various examples, be performed by other analytics systems described herein (e.g., the analytics VM 170, 270, 370, 334, and/or 770). In some examples, another computing system and/or another VM may perform the operations 1200. In some examples, a cloud system may be used, and the functionality may be provided in a container or other component. At block 1402, the AVM 1070 identifies files suspected to be affected by malicious activity. (e.g., using an anomaly engine detecting patterns and/or running a machine learning algorithm). The files (or other storage items) which are suspected of being affected by malicious activity may be referred to as candidate files. For example, these may include the set of files that have been subjected to a particular pattern of file server events and/or have greater than a threshold level of entropy and/or have otherwise been identified by malicious activity detection methodologies described herein. Note that there may be a large number of storage items suspected of being impacted by malicious activity (e.g., tens of files or folders, hundreds of files or folders, thousands of files or folders).

In block 1404, examples described herein may validate the files (or other storage items) suspected of being affected by malicious activity. The validation may be performed, for example by AVM 1070, but may also be performed by other examples of analytics systems described herein (e.g., analytics VM 170, 270, 370, 334, and/or 770). In some examples, all the file suspected of being affected by malicious activity may be validated as described herein. However, validation of the file may be computationally expensive and/or cumbersome. Accordingly, it may be undesirable in some examples to validate all files or other storage items suspected of being affected by malicious activity.

Accordingly, examples of analytics systems described herein may select a subset of the files suspected of being affected by malicious activity for validation. The subset of files may be referred to as one or more sample files. If all (or greater than a threshold number) of the sample files are validated (e.g., confirmed to be affected by malicious activity), then all the files suspected of being affected by that malicious activity may be considered validated and may be remediated or otherwise addressed as described herein for affected files. Any number or percentage of files may be used as the subset of files—e.g., one file, five files, ten files, one percent of the suspected affected files, five percent of the suspected affected files, ten percent of the suspected affected files, or twenty-five percent of the suspected affected files. Other numbers of files or percentages may be used in other examples.

Accordingly, in some examples, validation may occur by comparing a file type of a sample file after the suspected malicious activity occurred with a file type of the sample file before the suspected malicious activity occurred. If the malicious activity were truly malicious (e.g., not a false positive), the file type of the sample file affected by the malicious activity would be changed from a non-encrypted file type to an encrypted file type. File type may generally refer to a format of the file, and an identification of the file type may be included in metadata associated with the file (e.g., a header of the file). In some examples, the file type may be indicated by the extension of the file. In some examples, the file type may be a Multipurpose Internet Mail Extension (MIME) type of the file.

In some examples, in block 1404, the MIME type of the sample file is compared before and after the suspected malicious activity. A MIME type may also be referred to as a media type. The MIME type may be stored in the file and/or in metadata associated with the file. Examples of MIME types include, but are not limited to, audio/aac, application/x-abiword, application/x-freearc, image/avif, video/x-msvideo, application/vnd.amazon.ebook, application/octet-stream, image/bmp, application/x-bzip, application/x-cdf, application/x-csh, text/csv, application/msword, application/vnd.openxmlforms-officedocument.wordprocessingml.document, application/vnd.ms-fontobject, application/epub+zip, application/gzip, image/gif, text/html, iamge/vnd.microsoft.icon, text/calendar, application/java-archive, image/jpeg, text/javascript, application/json, application/ld+json, audio/midi, text/javascript, audio/mpeg, video/mp4, video/mpeg, application/vnd.apple.installer+xml, application/vnd.oasis.opendocument.spreadsheet, application/vnd.oasis.opendocument.text, audio/ogg, video/ogg, application/ogg, audio/opus, font/otf, image/png, application/pdf, application/x-httpd-php, appliucation/vnd.ms-powerpoint, application/vnd.openxmlformats-officedocument.presentationm1.presentation, application/vnd.rar, application/rtf, application/x-sh, image/svg+xml, application/x-shockwave-flash, application/x-tar, image/tiff, video/mp2t, font/ttf, text/plain, application/vnd.visio, audio/way, audio/webm, video/webm, image/webp, font/woff, font/woff2, application/xhtml+xml, application/vnd.ms-excel, application/vnd.openxmlformats-officedocument.spreadsheetm1.sheet, application/xml, application/vnd.mozilla.xul+xml, application/zip, video/3gpp, application/x-7z-compressed.

The comparison of the MIME type before and after the malicious activity may be used to validate the detection of the malicious activity. For example, the suspected malicious activity may be considered actual malicious activity if the MIME type of the sample file had changed. For example, the malicious activity may change the MIME type of the file from one that was not indicative of an encrypted file to a MIME type that was indicative of an infected file, such as an encrypted file. For example, the MIME type octet-stream (e.g., application/octet-stream) may indicate an encrypted file or other type of binary file or unknown file. If the sample file did not have a MIME type octet-stream prior to the suspected malicious activity, but did have a MIME type octet-stream after the suspected malicious activity, an analytics system described herein may determine that the suspected malicious activity was actual malicious activity (e.g., validate the determination of malicious activity).

Recall it may be an expensive and/or cumbersome operation to compare the MIME type of a file before and after suspected malicious activity. Note that examples of systems described herein may not compare the MIME type of files until after suspecting malicious activity. Note further that examples of systems described herein may compare the pre- and post-malicious activity MIME type of only a sample file, or multiple sample files, of a group of files suspected to be affected by the malicious activity. For example, an analytics datastore (such as that shown in FIG. 7A, FIG. 3D, FIG. 3A, and/or FIG. 2B, may include metadata from a scan of a virtualized file server described herein. Metadata from a time point prior to the suspected malicious activity may be accessed to identify the pre-malicious activity file type, such as the MIME type, of a sample file. Accordingly, analytics systems described herein, such as AVM 1070, may determine the pre-malicious activity MIME type by referencing a database of previously scanned metadata for the file system. To obtain the file type, such as the MIME type, of the file after the suspected malicious activity, examples of analytics systems described herein may request the file type, such as the MIME type, from the file server. For example, the analytics system 260 may request the file type of a sample file from the VFS 260 of FIG. 2A. In some examples, the virtualized file server may expose an API for such a request. Accordingly, an analytics system (such as an analytics VM) may provide an API call to a file server with an identification of one or more sample files. For example, the API call may include inode numbers or other identifiers or one or more sample files. Responsive to the API call, the file server may return the file type, such as the MIME type in some examples, of the requested files. Analytics systems described herein, such as AVM 270 of FIG. 2 , may accordingly compare a pre-malicious activity file type of a sample file stored in a database maintained by the analytics system (e.g., analytics database 292 of FIG. 2A) with a post-malicious activity file type of the sample file obtained from the file server (e.g., from the VFS 260 of FIG. 2A) that reflects the current file type of the sample file in some examples.

If the comparison of the file type of the sample file before and after the suspected malicious activity indicates malicious activity has occurred, the malicious activity may be validated (e.g., taken to be an accurate malicious activity detection). If the suspected malicious activity is validated for all, or in some examples, a threshold number or percentage, of sample files, the malicious activity may be considered by analytics systems described herein to be validated for all the suspected files. For example, if malicious activity is suspected for a group of 1000 files, 10 files maybe selected as sample files. The selection may be random or may be made in accordance with file types, sizes, or other criteria. The analytics system may compare file types of the 10 files before and after the suspected malicious activity. If the comparison for all or greater than a threshold number (e.g., greater or equal to 8 files) validates the malicious activity, the analytics system may consider the malicious activity validated as to all suspected files (e.g., all 1000 files). All files affected by validated malicious activity may accordingly be remediated and/or addressed in accordance with examples described herein relating to remediating malicious activity.

For example, and as also described with reference to FIG. 12 , AVM 1070 may send an alert (such as an email alert) and may mark the affected share (e.g., a share including the affected files) and/or affected files in a share as read only. To mark the share as read only, the AVM 1070 may make an API call to the virtualized file server to mark files and/or a share as read only, such that the no further changes to the files and/or share are accepted by the VFS 1060. In some examples, an affected file share may include only the file subject to the detected ransomware attack. In some examples, the file share may include other files in addition to the file subject to the detected ransomware attack, such as all files stored at the same computing node and/or same block or volume.

In some examples, the AVM 1070 may, after identifying files affected by validated malicious activity, generate a report on the number of files (and file details) impacted with details of paths that may be used for recovery purposes. For example, an event driven framework supported by a publish-subscribe mechanism may be used to send an email notification to end users when a ransomware attack is detected and/or suspected. Once a ransomware attack has been detected and/or suspected (e.g., by the anomaly detection service 291), the corresponding share of the VFS 1060 having the impacted or affected file may be added to an existing topic (e.g., a Kafka topic). The events processor may then call a notify process to send an email notification regarding the affected files.

The AVM 1070 mounts an affected share and snapshots of the affected share at block 1406. By the time a ransomware attack is detected and recovery begins, there is a possibility of few files being compromised. The a file analytics system (e.g., the AVM 1070), may detect compromised files by analyzing events data and building the path for the affected files. Once the file path and name is available, the AVM 1070 may mount an immutable snapshot of the affected share, such as share snapshot 1081 of share 1080 in FIG. 10A. For example, the AVM 1070 may locate the snapshot using the file path \\share-name\.snapshot and, once the snapshot is mounted, may traverse the files of the snapshot based on the file path and copy those files in a “recover-temp” folder in the local file analytics system. Using the file path, the AVM 1070 further mounts the affected share (e.g., the share 1080 including affected file-2 1094 and affected file-3 1092).

At block 1408, the AVM 1070 recovers the affected share by copying snapshots of affected files to the affected share. In some examples, the AVM 1070 may delete affected files from the affected share. Once the affected files are deleted, the AVM 1070 may copy files from the “recover-temp” folder containing the snapshots of the files. In this manner, the affected or attacked files may be deleted and replaced with a previous (e.g., most recent) version of the files from prior to the attack from a stored snapshot. For example, the recovered share 1080 shown in FIG. 10B includes file-2 snapshot 1095 in place of affected file-2 1094 and file-3 snapshot 1093 in place of affected file-3 1092. Further, the AVM 1070 may recover affected shares without additional input or action from, for example, a systems administrator, such that files are recovered quickly.

The AVM 1070 mounts the recovered share to the VFS 1060 at block 1410. When mounting the recovered share to the VFS 1060, the snapshots may be given the same permissions as the affected files prior to the attack. For example, users who were able to edit the files (e.g., with read/write permission) may continue to edit the snapshots and users who had read-only access may continue with read-only access. In some examples, users associated with the attack or malicious activity may be blocked from editing the files and/or may be blocked from accessing the share and/or the VFS 1060. The recovery operations of FIG. 14 may occur automatically, without additional intervention from administrative users. Accordingly, a share affected by a ransomware attack may be restored for users quickly, relative to manual restoration. For example, the AVM 1070 may mount a snapshot of an affected share responsive to detection of malicious activity without further intervention by administrative users or others. Where files of the VFS 1060 are accessed and updated often, this may simplify recovery and lessen data loss from a ransomware attack, as there is less down time between detection and recovery, where users may, for example, save changes as new files elsewhere in the VFS 1060 or external to the VFS 1060.

Of course, it is to be appreciated that any one of the examples, embodiments or processes described herein may be combined with one or more other examples, embodiments and/or processes or be separated and/or performed amongst separate devices or device portions in accordance with the present systems, devices and methods.

Finally, the above-discussion is intended to be merely illustrative of the present system and should not be construed as limiting the appended claims to any particular embodiment or group of embodiments. Thus, while the present system has been described in particular detail with reference to exemplary embodiments, it should also be appreciated that numerous modifications and alternative embodiments may be devised by those having ordinary skill in the art without departing from the broader and intended spirit and scope of the present system as set forth in the claims that follow. Accordingly, the specification and drawings are to be regarded in an illustrative manner and are not intended to limit the scope of the appended claims.

From the foregoing it will be appreciated that, although specific embodiments have been described herein for purposes of illustration, various modifications may be made while remaining with the scope of the claimed technology.

Examples described herein may refer to various components as “coupled” or signals as being “provided to” or “received from” certain components. It is to be understood that in some examples the components are directly coupled one to another, while in other examples the components are coupled with intervening components disposed between them. Similarly, signal may be provided directly to and/or received directly from the recited components without intervening components, but also may be provided to and/or received from the certain components through intervening components. 

What is claimed is:
 1. At least one computer readable medium encoded with instructions which, when executed, cause a system to: detect one or more file server events in a distributed file server, the one or more file server events indicative of malicious activity, the distributed file server hosting files distributed across multiple computing nodes; identify candidate files in the distributed file server, the candidate files suspected of being compromised by the malicious activity; and validate the candidate files were compromised by the malicious activity, wherein said validate comprises comparing, for a sample file of the candidate files, a file type of the sample file prior to detection of the malicious activity and a file type of the sample file after the malicious activity; and recover a share of the distributed file server including the candidate files by replacing the candidates files with stored versions from a snapshot of the share taken prior to the detected malicious activity.
 2. The at least one computer readable medium of claim 1, wherein said comparing a file type of the sample file comprises comparing a MIME type of the sample file.
 3. The at least one computer readable medium of claim 1, wherein said comparing validates the candidate files were compromised when the file type of the sample file after the malicious activity is an encrypted file type and the file type of the sample file before the malicious activity is other than an encrypted file type.
 4. The at least one computer readable medium of claim 1, wherein said comparing comprises requesting a current file type of the sample file from the distributed file server and comparing the current file type with a previously stored file type for the sample file.
 5. The at least one computer readable medium of claim 4, wherein said requesting the current file type comprises providing an identification of the sample file to the distributed file server in an API call.
 6. The at least one computer readable medium of claim 1, wherein said detect one or more file server events comprises compare a sequence of events for a file of the distributed file server to one or more patterns of file server events associated with malicious activity.
 7. The at least one computer readable medium of claim 1, wherein said detect one or more file server events comprises compare a file entropy measurement of a file of the distributed file server to a threshold file entropy measurement.
 8. The at least one computer readable medium of claim 1, wherein the share of the distributed file server including the at least one affected file includes files distributed across a first computing node and a second computing node, wherein the instructions further cause the system to retrieve a first portion of the snapshot of the share from the first computing node and a second portion of the snapshot of the share from the second computing node.
 9. The at least one computer readable medium of claim 1, wherein the instructions further cause the system to update a file blocking policy of the distributed file server based on the file server events associated with the detected malicious activity.
 10. The at least one computer readable medium of claim 1, wherein the instructions further cause the system to, when recovering the share of the distributed file server including the at least one affected file: mount the share and the snapshot of the share; delete the at least one affected file from the share; and copy the stored version of the at least one file from the snapshot of the share to the share.
 11. The at least one computer readable medium of claim 1, wherein the instructions further cause the system to restrict access to the at least one affected file in the distributed file server prior to recovery of the share of the distributed file server including the at least one affected file.
 12. The at least one computer readable medium of claim 1, wherein the detected malicious activity is a ransomware attack.
 13. A system comprising: a distributed file server hosting files across a cluster of computing nodes; an analytics service, the analytics service configured to: detect one or more file server events in the distributed file server indicative of malicious activity; identify candidate files in the distributed file server, the candidate files suspected of being compromised by the malicious activity; and validate the candidate files were compromised by the malicious activity, wherein said validate comprises comparing, for a sample file of the candidate files, a file type of the sample file prior to detection of the malicious activity and a file type of the sample file after the malicious activity; and recover a share of the distributed file server including the candidate files at least in part by replacing the candidate files with stored versions file from a snapshot of the share taken prior to the malicious activity.
 14. The system of claim 13, wherein said analytics service is configured to validate at least in part by comparing a MIME type of the sample file.
 15. The system of claim 13, wherein said analytics service is configured to validate the candidate files were compromised when the file type of the sample file after the malicious activity is an encrypted file type and the file type of the sample file before the malicious activity is other than an encrypted file type.
 16. The system of claim 13, wherein said analytics service is configured to request a current file type of the sample file from the distributed file server and compare the current file type with a previously stored file type for the sample file.
 17. The system of claim 16, wherein said analytics service is configured to request the current file type by providing an identification of the sample file to the distributed file server in an API call.
 18. The system of claim 13, wherein the analytics service is configured to detect the one or more file server events indicative of malicious activity at least in part by comparing a sequence of events for a file of the distributed file server to one or more patterns of file server events associated with the malicious activity.
 19. The system of claim 23, wherein the share of the distributed file server including the at least one affected file includes files distributed across a first computing node and a second computing node of the cluster of computing nodes, wherein the analytics service is further configured to retrieve a first portion of the snapshot of the share from the first computing node and a second portion of the snapshot of the share from the second computing node.
 20. The system of claim 13, wherein the analytics service is further configured to update a file blocking policy of the distributed file server based on the file server events associated with the detected malicious activity.
 21. The system of claim 13, wherein the analytics service is further configured to, when recovering the share of the distributed file server including the at least one affected file: mount the share and the snapshot of the share; delete the at least one affected file from the share; and copy the stored version of the at least one file from the snapshot of the share to the share.
 22. The system of claim 13, wherein the analytics service is further configured to restrict access to the at least one affected file in the distributed file server prior to recovering the share of the distributed file server including the at least one affected file.
 23. The system of claim 13, wherein the malicious activity is a ransomware attack.
 24. A method comprising: detecting one or more file server events in a distributed file server indicative of malicious activity, the distributed file server hosting files distributed across multiple computing nodes; identifying candidate files in the distributed file server, the candidate files suspected of being compromised by the malicious activity; validating the candidate files were compromised by the malicious activity, wherein said validating comprises comparing, for a sample file of the candidate files, a file type of the sample file prior to detection of the malicious activity and a file type of the sample file after the malicious activity; and recovering a share of the distributed file server including the candidate files by replacing the candidate files with stored versions from a snapshot of the share taken prior to the detected malicious activity.
 25. The method of claim 24, wherein said comparing a file type of the sample file comprises comparing a MIME type of the sample file.
 26. The method of claim 24, wherein said comparing validates the candidate files were compromised when the file type of the sample file after the malicious activity is an encrypted file type and the file type of the sample file before the malicious activity is other than an encrypted file type.
 27. The method of claim 24, wherein said comparing comprises requesting a current file type of the sample file from the distributed file server and comparing the current file type with a previously stored file type for the sample file.
 28. The method of claim 27, wherein said requesting the current file type comprises providing an identification of the sample file to the distributed file server in an API call.
 29. The method of claim 24, further comprising detecting the one or more file server events indicative of malicious activity at least in part by comparing a sequence of events for a file of the distributed file server to one or more patterns of file server events associated with malicious activity.
 30. The method of claim 24, wherein recovering the share of the distributed file server comprises retrieving a first portion of the snapshot of the share from a first computing node of the multiple computing nodes and a second portion of the snapshot of the share from a second computing node of the multiple computing nodes.
 31. The method of claim 24, further comprising updating a file blocking policy of the distributed file server based on the file server events associated with the malicious activity.
 32. The method of claim 24, further comprising generating a report of the malicious activity including the at least one affected file and the share including the at least one affected file.
 33. The method of claim 24, wherein recovering the share of the distributed file server including the at least one affected file comprises: deleting the at least one affected file from the share; and copying the stored version of the at least one file from the snapshot of the share to the share.
 34. The method of claim 24, further comprising restricting access to the at least one affected file in the distributed file server prior to recovering the share of the distributed file server including the at least one affected file.
 35. The method of claim 24, wherein the detected malicious activity is a ransomware attack. 